RSA Authentication Manager 8.

1Help Desk Administrators Guide

Contact InformationGo to the RSA corporate website for regional Customer Support telephone and fax numbers:www.emc.com/domains/rsa/index.htm

TrademarksRSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/orother countries. All other trademarks used herein are the property of their respective owners. For a list of RSA trademarks, goto www.emc.com/legal/emc-corporation-trademarks.htm#rsa.

License AgreementThis software and the associated documentation are proprietary and confidential to EMC, are furnished under license, andmay be used and copied only in accordance with the terms of such license and with the inclusion of the copyright noticebelow. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to anyother person.No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Anyunauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.This software is subject to change without notice and should not be construed as a commitment by EMC.

Third-Party LicensesThis product may include software developed by parties other than RSA. The text of the license agreements applicable tothird-party software in this product may be viewed on the product documentation page on RSA SecurCare Online. By usingthis product, a user of this product agrees to be fully bound by terms of the license agreements.

Note on Encryption Technologies

This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryptiontechnologies, and current use, import, and export regulations should be followed when using, importing or exporting thisproduct.

DistributionUse, copying, and distribution of any EMC software described in this publication requires an applicable software license.EMC believes the information in this publication is accurate as of its publication date. The information is subject to changewithout notice.THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NOREPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THISPUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY ORFITNESS FOR A PARTICULAR PURPOSE.

Users.................................................................................................................................. 23User Dashboard................................................................................................................. 24User Dashboard Tasks ............................................................................................... 24Use Quick Search to View the User Dashboard for a User ....................................... 27Add a User with Options to the Internal Database............................................................ 28Add a User to the Internal Database ................................................................................. 29Edit a User in the User Dashboard.................................................................................... 31Delete a User ..................................................................................................................... 31Enable a User Account in the User Dashboard................................................................. 32Disable a User Account in the User Dashboard................................................................ 33Locked User Accounts ...................................................................................................... 33Unlock a User in the User Dashboard............................................................................... 34Assign a User Alias in the User Dashboard ...................................................................... 34Change a User's Password in the User Dashboard............................................................ 35

Contents

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Require a User to Change a Password using the User Dashboard.................................... 36

User Groups ...................................................................................................................... 41Add a User Group ...................................................................................................... 41Edit User Groups ....................................................................................................... 41View User Group Members ....................................................................................... 42Add a User to a User Group in the User Dashboard.................................................. 42View User Group Memberships for a User in the User Dashboard .......................... 43

RSA Authentication Manager 8.1 Help Desk Administrators Guide

PrefaceAbout This GuideThis guide describes the most common tasks that a Help Desk Administrator needs tomanage RSA Authentication Manager.Your company determines which tasks a Help Desk Administrator is allowed toperform. Since each company is different, this guide may contain some tasks that youcannot perform.

RSA Authentication Manager 8.1 Documentation

For information about RSA Authentication Manager 8.1, see the followingdocumentation. RSA recommends that you store the product documentation in alocation on your network that is accessible to administrators.Release Notes. Describes what is new and changed in this release, as well asworkarounds for known issues.Hardware Appliance Getting Started. Describes how to deploy a hardware applianceand perform the Authentication Manager Quick Setup process.Virtual Appliance Getting Started. Describes how to deploy a virtual appliance andperform the Authentication Manager Quick Setup process.Planning Guide. Describes the high-level architecture of Authentication Manager andhow it integrates with your network.Setup and Configuration Guide. Describes how to set up and configureAuthentication Manager.Administrators Guide. Provides an overview of Authentication Manager and itsfeatures. Describes how to configure the system and perform a wide range ofadministration tasks, including manage users and security policies.Help Desk Administrators Guide. Provides instructions for the most common tasksthat a Help Desk Administrator performs on a day-to-day basis.Hardware Appliance SNMP Reference Guide. Describes how to configure SimpleNetwork Management Protocol (SNMP) to monitor an instance of AuthenticationManager on a hardware appliance.Virtual Appliance SNMP Reference Guide. Describes how to configure SimpleNetwork Management Protocol (SNMP) to monitor an instance of AuthenticationManager on a virtual appliance.Troubleshooting Guide. Describes the most common error messages in RSAAuthentication Manager and provides the appropriate actions to troubleshoot eachevent.

Preface

RSA Authentication Manager 8.1 Help Desk Administrators Guide

the RSA Authentication Manager application programming interfaces (APIs).Includes an overview of the APIs and Javadoc for Java APIs.Performance and Scalability Guide. Describes what to consider when tuning yourdeployment for optimal performance.6.1 to 8.1 Migration Guide. Describes how to migrate from an RSA AuthenticationManager 6.1 deployment to an RSA Authentication Manager 8.1 deployment.7.1 to 8.1 Migration Guide: Migrating to a New Hardware Appliance or VirtualAppliance. Describes how to migrate from an RSA Authentication Manager 7.1deployment to an RSA Authentication Manager 8.1 deployment on a new hardwareappliance or virtual appliance.7.1 to 8.1 Migration Guide: Upgrading RSA SecurID Appliance 3.0 on ExistingHardware. Describes how to migrate from an RSA Authentication Manager 7.1deployment to an RSA Authentication Manager 8.1 deployment on existing,supported RSA SecurID Appliance 3.0 hardware.Security Console Help. Describes day-to-day administration tasks performed in theSecurity Console.Operations Console Help. Describes configuration and setup tasks performed in theOperations Console.Self-Service Console Help. Describes how to use the Self-Service Console. To viewthe Help, on the Help tab in the Self-Service Console, click Self-Service ConsoleHelp.RSA Token Management Snap-In Help. Describes how to use software that workswith the Microsoft Management Console (MMC) for deployments that have an ActiveDirectory identity source. Using this snap-in, you can enable or disable a token, assigna token, or perform other token-related tasks without logging on to the SecurityConsole.

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Support and Service

Customer Support Information

www.emc.com/support/rsa/index.htm

RSA Solution Gallery

https://gallery.emc.com/community/marketplace/rsa?view=overview

RSA SecurCare Online offers a knowledgebase that contains answers to common

questions and solutions to known problems. It also offers information on new releases,important technical news, and software downloads.The RSA Solution Gallery provides information about third-party hardware andsoftware products that have been certified to work with RSA products. The galleryincludes Secured by RSA Implementation Guides with step-by-step instructions andother information about interoperation of RSA products with these third-partyproducts.

Before You Call Customer Support

Please have the following information available when you call: Access to the RSA Authentication Manager appliance. Your license serial number. To locate the license serial number, do one of thefollowing:

Look at the order confirmation e-mail that you received when your orderedthe product. This e-mail contains the license serial number.

Log on to the Security Console, and click License Status. Click ViewInstalled License.

The Authentication Manager appliance software version information. You can

find this information in the top, right corner of the Quick Setup, or in theSecurity Console. Log on to the Security Console, and click Software VersionInformation.

Preface

RSA Authentication Manager 8.1 Help Desk Administrators Guide

RSA Authentication Manager Overview

This chapter introduces you to the components, features, and tasks in AuthenticationManager that are important for helping customers solve day-to-day authenticationproblems.For additional information about the features in this guide, see the RSA AuthenticationManager 8.1 Administrators Guide.

Purpose of RSA SecurID and RSA Authentication Manager

RSA SecurID uses a patented, time-based two-factor authentication mechanism tovalidate users. It enables administrators to verify the identity of each user attemptingto access computers, networks, and other resources.RSA Authentication Manager software is the management component ofRSA SecurID. It is used to verify authentication requests and centrally administersecurity policies for authentication, users, and groups for enterprise networks.Authentication Manager software is scalable and can authenticate large numbers ofusers. It is interoperable with network, remote access, wireless, VPN, Internet, andapplication products.

How Authentication Manager Protects Resources

Records of users, agents, tokens, and users PINs reside in Authentication Manager orin LDAP directories. During authentication, Authentication Manager compares theserecords to the information a user enters when logging on. If the records and tokencodeor passcode match, the user gains access.During an authentication, Authentication Manager and the agent software work in thefollowing way:1. A user logs on to access a protected resource.2. The agent prompts the user to enter a User ID and an RSA SecurID passcode ortokencode.3. The user reads the tokencode from the token and then enters his or her PIN plusthe tokencode to create the passcode. (If a PIN is not required, the user enters thetokencode only.)The entered data is encrypted and the agent sends the data to AuthenticationManager.4. Authentication Manager receives the User ID and passcode or tokencode andlooks for the user record in an identity source.

1: RSA Authentication Manager Overview

11

RSA Authentication Manager 8.1 Help Desk Administrators Guide

5. Authentication Manager calculates the correct value of the passcode by accessing

the token record of the token assigned to the user. Using data contained in thetoken record, it generates the passcode to compare with that supplied by the user.6. Authentication Manager evaluates the policies defined by the administrator.7. If the passcode is correct and the policies allow access, Authentication Managerapproves the authentication request. The user gains access to the protected device.

RSA SecurID Tokens Overview

RSA SecurID tokens offer two-factor authentication by generating a 6-digit or 8-digittokencode at regular intervals. When the tokencode is combined with a personalidentification number (PIN), the result is called a passcode. Users enter the passcodeto verify their identity to resources protected by Authentication Manager. IfAuthentication Manager validates the passcode, the user is granted access. Otherwise,the user is denied access.There are two kinds of SecurID tokens, hardware tokens and software tokens.Hardware and software tokens require similar administrative tasks. You can performmany token-related administrative tasks with the User Dashboard in the RSA SecurityConsole.

Risk-Based AuthenticationRisk-based authentication (RBA) identifies potentially risky or fraudulentauthentication attempts by silently analyzing user behavior and the device of origin.RBA strengthens RSA SecurID authentication. If the assessed risk is unacceptable, theuser is challenged to further confirm his or her identity by using one of the followingmethods:

12

On-demand authentication (ODA). The user must correctly enter a PIN and aone-time tokencode that is sent to a preconfigured mobile phone number or e-mailaccount.

Security questions. The user must correctly answer one or more pre-enrolledsecurity questions. Correct answers to questions can be established either duringpre-enrollment or during authentication when silent collection is enabled.

1: RSA Authentication Manager Overview

RSA Authentication Manager 8.1 Help Desk Administrators Guide

RSA Authentication Manager contains a risk engine that intelligently accumulates andassesses knowledge about each users device and behavior over time. When the userattempts to authenticate, the risk engine refers to the collected data to evaluate the risk.The risk engine then assigns an assurance level such as high, medium, or low to theuser's authentication attempt. RBA compares this to the minimum acceptable level ofassurance that you have configured. If the risk level is higher than the minimumassurance level, the user is prompted to confirm his or her identity by answeringsecurity questions or using ODA.

Policies OverviewPolicies are associated with security domains and control various aspects of yourdeployment.Token policy. A token policy defines users RSA SecurID PIN lifetime and format,and fixed passcode lifetime and format, as well as how a deployment handles users orunauthorized people who enter a series of incorrect passcodes.Offline authentication policy. An offline authentication policy defines the way usersauthenticate when they are not connected to the network.Password policy. Password policies define the users' password length, format, andfrequency of change.Lockout policy. Lockout policies define how many failed logon attempts users canmake before the system locks their account. Lockout policies apply to the totalnumber of logon attempts a user makes regardless of the type of credential used foreach attempt.Self-Service troubleshooting policy. The self-service troubleshooting feature allowsSelf-Service Console users to troubleshoot routine authentication problems if theycannot access protected resources using primary methods, such as passwords orpasscodes. The self-service troubleshooting policy defines an alternative form ofauthentication, such as security questions, used to access the troubleshooting feature.The policy also specifies the circumstances that lock a user out of the troubleshootingfeature.Risk-based authentication (RBA) policy. RBA policies contain all RBA settings,including the minimum assurance level that is required for logon, and the identityconfirmation methods that can increase the assurance level of a logon request.Risk-based authentication message policy. The RBA message policy defines themessage that users receive when they are challenged to configure their identityconfirmation method.

1: RSA Authentication Manager Overview

13

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Identity SourcesIn Authentication Manager, user and group data are kept in data stores called identitysources. There are two types of identity sources:

The Authentication Manager internal database. This database contains all

application and policy data, and your company may also choose to store user anduser group data in it.

As a Help Desk Administrator, you need to perform tasks that require AuthenticationManager to access identity sources. For example, these tasks include:

Add a User to the Internal Database on page 29

Delete a User on page 31

Enable a User Account in the User Dashboard on page 32

Disable a User Account in the User Dashboard on page 33

Change a User's Password in the User Dashboard on page 35

RSA Self-ServiceRSA Self-Service is a web-based workflow system that provides user self-serviceoptions and automates the token deployment process. Self-Service has twocomponents:

Self-Service. Users can perform some token maintenance tasks and

troubleshooting without involving administrators. This reduces the time that youneed to spend helping users when they forget their PINs, misplace their tokens,require emergency access, or require token resynchronization.

Provisioning. Users can perform many of the steps in the token deploymentprocess, and the system automates the workflow. This reduces administrativeoverhead typically associated with deploying tokens, especially in a large-scaletoken deployment.

Certain tasks related to Self-Service still require administrative assistance. As a Help

Desk Administrator, you may be asked to perform the following tasks:

Clear a Cached Copy of Windows Credentials in the User Dashboard on page 77

Managing Security Questions on page 36

Important: Users can only modify data that is stored in the internal database. Users

cannot use the Self-Service Console to modify data that is stored in an LDAPdirectory, except when a password change is forced.

14

1: RSA Authentication Manager Overview

RSA Authentication Manager 8.1 Help Desk Administrators Guide

ReportsReports provide access to logged information, and current information about the users,administrators, and system activity in a deployment. This information is useful fortroubleshooting, auditing security issues, and demonstrating compliance with variouspolicies.You create a report using a supplied template. Each template allows you to choose thetypes of information being reported and which parameters to apply in order to refinethat information. You can view activities for all administrators, or you can displaydetailed information on one administrator.In addition, you can perform the following reporting tasks:

View and download completed reports, view reports that are currently running orreports that are waiting in the report queue.You can view the report output in theSecurity Console, or download the report as a CSV, XML, or HTML file.

Transfer reports to other security domains. When running a report, change thereport ownership so that the administrative scope is narrowed or broadened.

Administrative RolesAdministrators manage all aspects of the Authentication Manager deployment, suchas users, tokens, and security domains. Each administrator is assigned anadministrative role that has its own set of administrative privileges and areas ofresponsibility.

1: RSA Authentication Manager Overview

15

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Confirming a Users Identity

As a Help Desk Administrator, it is critical that you verify the end users identitybefore performing any Help Desk operations on their behalf. Recommended actionsinclude:

When a user calls the Help Desk, only ask for the users User ID. You shouldnever ask for token serial numbers, tokencodes, PINS, passwords, and so on.

If you must initiate contact with a user, do not request any user information.Instead, tell users to call the Help Desk back at a well-known Help Desk telephonenumber to ensure that their original request is legitimate.

Call the user back on a phone owned by the organization and on a number that isalready stored in the system.

Send the user an e-mail to a company e-mail address. If possible, use encryptede-mail.

2: Confirming a Users Identity

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Using the Security Console

Security ConsoleAuthentication Manager includes an administrative user interface called the SecurityConsole.The following figure shows the Home page of the Security Console.

You use the Security Console for most day-to-day administrative activities, and forsome setup and configuration tasks. For example, you use the Security Console to:

Add and manage users and user groups

Assign and manage RSA SecurID tokens

Enable and disable users for risk-based authentication or on-demand

authentication

3: Using the Security Console

19

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Log On to the Security Console

You must log on to the Security Console in order to complete administrative tasks.Note: Do not use the back button for your Internet browser to return to previously

visited Console pages. Instead, use the Security Console navigation menus andbuttons to navigate.Before You BeginMake sure you have the appropriate logon credentials.ProcedureTo log on to the Security Console, go to the following URL:https://fully qualified domain name:7004/console-imsImportant: If the Security Console is protected with RSA SecurID, the SecurID PIN

Help On This Page

Help Table of Contents

Help On This Page

Each page of the Security Console offers a list of Help topics relevant to that page onthe Security Console.To access Help on This Page, find the Help on This Page link on the right side of thepage.

Help Table of Contents

The Help table of contents for the Security Console organizes help topics byAuthentication Manager features and concepts. The Help table of contents displays onthe left side of the Security Console window.To access the table of contents, click on a Help on This Page link, or click Help > AllHelp Topics.

20

3: Using the Security Console

RSA Authentication Manager 8.1 Help Desk Administrators Guide

iHelpThe iHelp refers to the question mark icon that is located beside Security Consolefields and options. When you place the cursor over the icon, you can see the text thatdescribes the field. Use the iHelp when you need assistance as you complete tasks inthe Security Console. The iHelp allows you to quickly access information about afield without using the Help system.To access the iHelp, move your cursor over the iHelp icon that is located on the left ofthe field.

3: Using the Security Console

21

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Managing Users

UsersIf your deployment uses the internal database as an identity source, you can use theSecurity Console to manage all user data.If your deployment uses an LDAP directory, the identity source is read-only. You canadd users to an LDAP directory using a tool appropriate for the directory. After usersare added, you can use the Security Console to perform certain administrativefunctions, such as enabling the user for risk-based authentication (RBA).You can manage certain user account related activities on the User Dashboard page inthe Security Console. For more information, see User Dashboard on page 24.For more information on managing users, see the chapter Administering Users inthe Administrators Guide.

4: Managing Users

23

RSA Authentication Manager 8.1 Help Desk Administrators Guide

User DashboardThe User Dashboard provides a consolidated view of authentication data for a singleuser, allowing you to identify and troubleshoot issues.You can view the User Dashboard using Quick Search on the Home page. Quick UserSearch can be customized to search by last name or User ID.You can search for usersin one identity source or across all identity sources within your scope. For instructions,see Use Quick Search to View the User Dashboard for a User on page 27.

User Dashboard Tasks

You can use the User Dashboard to perform these tasks for a particular use.Note: Your ability to view or perform tasks in the User Dashboard depends on your

license and administrative permissions.

24

4: Managing Users

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Action

Description

Reference

Enable or disableaccount

Enable or disable a user from

authenticating.

Enable a UserAccount in the UserDashboardDisable a UserAccount in the UserDashboard

Assign a user alias

A logon alias allows users to

authenticate with their RSA SecurIDtoken using User IDs other than theirown.

Assign a User Alias in

the User Dashboard

Unlock

Locked out users cannot authenticate

until they are unlocked.

Unlock a User in the

User Dashboard

Change a password

You can change passwords for users

whose accounts are in the internaldatabase. You might perform this taskif the security of the old password hasbeen compromised.

Change a User'sPassword in the UserDashboard

Clear securityquestion answers andcached windowspassword

You might clear security question

answers if the user forgot the answers,or if the security of the answers wascompromised in some way.

Clear SecurityQuestion Answers inthe User Dashboard

Add to a user group

and view user groupmemberships

You can add users from any identity

source to one or more user groups inthe internal database only.

Add a User to a User

Group in the UserDashboard

Clear a Cached Copy

You can avoid a failed logon attempt by of Windowsclearing the saved copy of the user'sCredentials in theWindows password.User Dashboard

View User Group

Memberships for aUser in the UserDashboardManageYou can create exceptions toauthentication settings authentication policies for individualusers. These settings also allow you totroubleshoot user authentication issues.

Clear and set

You might clear a user's ODA PINtemporary on-demand when the PIN is compromised,authentication PINforgotten, or when your companypolicy requires the PIN change. Youmust always set a temporary PIN whenyou clear a user's PIN because ODArequires a PIN.

Disable On-DemandAuthentication for aUser in the UserDashboardClear a User'sOn-DemandAuthentication PIN inthe User Dashboard

The user must change a temporary PIN

the first time it is used.Require a passwordchange at next logon

You can require users to change their

passwords if the password is suspectedof being compromised. If a user'sidentity source is the internal database,you can force the user to change thepassword the next time the user logs on.

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Generate an emergency access

tokencode for a user whose existingtoken has been permanently lost ordestroyed.

Provide an OfflineEmergency AccessTokencode

Resynchronize aResynchronize tokens Resynchronize a token when itstokencode does not match theToken in the Usertokencode generated by Authentication DashboardManager. Mismatched tokencodescause authentication to fail.Replace a token

Replace a token that has been

permanently lost, stolen, damaged orexpired.

Replace a Token for a

User in the UserDashboard

Enable or disabletokens

Only enabled tokens can be used for

authentication. Tokens areautomatically enabled when firstassigned to a user.

Enable a Token in the

User DashboardDisable a Token in theUser Dashboard

You might choose to disable a token if a

user is out of the office for an extendedperiod of time. Disabling a token doesnot remove it from the deployment.Unassign a token

When you unassign a token, the user

can no longer use the token toauthenticate and the token is disabled.

Unassign a Tokenfrom a User in theUser Dashboard

Use Quick Search to View the User Dashboard for a User

You can view a user's authentication data in the User Dashboard by using QuickSearch on the Security Console Home page to find the user. You can search one ormore identity sources within your administrative scope. Quick User Search can becustomized to search by last name or User ID. By default, all identity sources aresearched.Procedure

1. On to the Security Console Home page, use the Quick Search field to find theuser that you want to manage.2. (Optional) From the Identity Source drop-down list, select the users identitysource.

4: Managing Users

27

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Add a User with Options to the Internal Database

To add a new user with options means that when you add user records, you canconfigure additional options for the user. For example, when you finish adding theuser information, you can assign a token, add the user to a user group or assign theuser an administrative role.Use this procedure to add users to the internal database. Authentication Manager hasread-only access to external identity sources.Procedure

1. In the Security Console, click Identity > Users > Add New With Options.2. Decide which options that you want to assign to the new user, and select theappropriate checkboxes.3. Click Next.4. In the Administrative Control section, from the Security Domain drop-downmenu, select the security domain to which you want to assign the user.5. Complete the User Basics section:a. (Optional) In the First Name field, enter the user's first name. Do not exceed255 characters.b. (Optional) In the Middle Name field, enter the user's middle name. Do notexceed 255 characters.c. In the Last Name field, enter the last name of the user. Do not exceed 255characters.d. In the User ID field, enter the User ID for the user. The User ID must beunique within the identity source where you save the user, and not exceed 255characters. Do not use multi-byte characters, such as

Note: If this account is for an administrator who requires access to the

Security Console, the User ID must be unique in the deployment.

e. (Optional) In the Email field, enter the user's e-mail address. Do not exceed255 characters.f.

(Optional) In the Certificate DN field, enter the user's certificate DN. Thecertificate DN must match the subject line of the certificate issued to the userfor authentication. Do not exceed 255 characters.

6. Complete the Password section:

a. In the Password field, enter a password for the user. Password requirementsare determined by the password policy assigned to the user's security domain.This is the user's identity source password, which may be different fromalternative passwords provided by applications.b. In the Confirm Password field, reenter the password.

28

4: Managing Users

RSA Authentication Manager 8.1 Help Desk Administrators Guide

c. To force the user to change the password during the next logon, select ForcePassword Change.7. Complete the Account Information section:a. From the Account Starts drop-down lists, select the date and time when theuser account becomes active. The time zone is determined by local systemtime.b. (Optional) Use Account Expires options to modify account expirationsettings. To set an expiration date for this user, select Expires on, and selectthe date and time when the user account will expire. (The time zone isdetermined by local system time.) To remove account expiration, select Doesnot expire.c. To disable the new account, select Account is disabled.8. In the Attributes section, in the Mobile Number field, enter a mobile phonenumber for the user.9. Click Save & Next.

Add a User to the Internal Database

You can use the Security Console to add users to the internal database even if anLDAP directory is the primary identity source. Adding users directly to the internaldatabase allows you to create a group of users different from those in identity source.For example, you might store a group of temporary contractors or a specific group ofadministrators in the internal database. You might also use the internal database tostore a small number of users for a pilot project.User data in an LDAP directory is read-only. You must add users to the LDAPdirectory using the directory tools. However, you can use the Security Console toperform certain administrative functions, such as assigning tokens or enabling a userfor risk-based authentication.Procedure

1. In the Security Console, click Identity > Users > Add New.2. In the Administrative Control section, from the Security Domain drop-down list,select the security domain where you want the user to be managed. The user ismanaged by administrators whose administrative scope includes the securitydomain you select.3. In the User Basics section, do the following:a. (Optional) In the First Name field, enter the user's first name. Do not exceed255 characters.b. (Optional) In the Middle Name field, enter the user's middle name. Do notexceed 255 characters.c. In the Last Name field, enter the last name of the user. Do not exceed 255characters.

4: Managing Users

29

RSA Authentication Manager 8.1 Help Desk Administrators Guide

d. In the User ID field, enter the User ID for the user. The User ID cannotexceed 48 characters. Make sure the User ID is unique to the identity sourcewhere you save the user. Do not use multi-byte characters, for example:

Note: If you are creating an account for an administrator who requires access

to the Security Console, the User ID must be unique within the deployment.e. (Optional) In the Email field, enter the user's e-mail address. Do not exceed255 characters.f.

(Optional) In the Certificate DN field, enter the user's certificate DN. Thecertificate DN must match the subject line of the certificate issued to the userfor authentication. Do not exceed 255 characters.

4. In the Password section, do the following:

Note: This password is not used for authenticating through authentication

agents.a. In the Password field, enter a password for the user. Password requirementsare determined by the password policy assigned to the security domain wherethe user is managed. This is the users identity source password, which maybe different from alternate passwords provided by applications.b. In the Confirm Password field, enter the same password that you entered inthe Password field.c. (Optional) Select Force Password Change if you want to force the user tochange his or her password the next time the user logs on. You might selectthis checkbox, for example, if you assign a standard password to all newusers, which you want them to change when they start using the system.5. In the Account Information section, do the following:a. From the Account Starts drop-down lists, select the date and time you wantthe users account to become active. The time zone is determined by localsystem time.b. From the Account Expires drop-down lists, select the date and time you wantthe users account to expire, or configure the account with no expiration date.The time zone is determined by local system time.c. (Optional) Select Disabled if you want to disable the new account.d. If a Locked Status option is selected, you can unlock the user by clearing allselected options.6. (Optional) Under Attributes, enter the users mobile phone number in the MobileNumber (String) field.7. Click Save.

30

4: Managing Users

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Edit a User in the User Dashboard

Use the Security Console to edit a user that is stored in the internal database.If a user is stored in an external LDAP directory identity source, you can manage onlya limited number of items in the users account.Before You Begin

Your administrative permissions determine whether you can specify attributes for auser. You can only enter values for attributes that your role permits you to edit, even ifthe attribute is required.Procedure

1. In the Security Console, go to the Home page.

2. Use Quick Search to find the user.3. Select the user you want to edit.4. Under User Profile, click Edit User.

5. Edit the user and click Save.

Delete a UserYou can use the Security Console to delete users who are stored in the internaldatabase as their identity source. After you delete the user, you cannot manage theuser with RSA Authentication Manager. For example, you can no longer enable theuser for authentication.If the user that you delete is enabled for risk-based authentication (RBA), the systemdeletes the user device history and updates the feature license so that the seat isavailable to another user.

4: Managing Users

31

RSA Authentication Manager 8.1 Help Desk Administrators Guide

You can delete users who use an LDAP directory as their identity source only by usingthe native LDAP directory interface.Procedure

1. In the Security Console, click Identity > Users > Manage Existing.2. Use the search fields to find the user that you want to delete. Some fields are casesensitive.3. Select the users that you want to delete, and click Delete.4. Click OK.

Enable a User Account in the User Dashboard

When you enable a user, the user can authenticate and access protected resources.To enable users who are in an external directory server, you must enable the user inboth the directory server and in the Security Console. Only users who are enabled inthe directory server can authenticate to the directory server.Procedure

1. In the Security Console, go to the Home page.

2. Use Quick Search to find the user.3. Select the user you want to enable.4. Under User Profile, click Enable.

5. When prompted, click Enable User to confirm.

32

4: Managing Users

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Disable a User Account in the User Dashboard

When you disable a user, you prevent the user from authenticating and accessingprotected resources. Disabling a user does not delete the user from the deployment.If you want to disable a user in an LDAP directory that is linked to RSAAuthentication Manager, you must use the native LDAP directory interface.Procedure

1. In the Security Console, go to the Home page.

2. Use Quick Search to find the user.3. Select the user you want to disable.4. Under User Profile, click Disable.

5. When prompted, click Disable User to confirm.

Locked User Accounts

When a user account is locked, the user cannot authenticate and access protectedresources. A user account can be locked in two ways:

Lockout policy. This policy locks a user account if authentication fails a specifiednumber of times using the primary authentication method. Lockout policies applyto the total number of logon attempts a user makes regardless of the type ofcredential used for each attempt.

Token policies. Token policies determine RSA SecurID PIN lifetime and format,and fixed passcode lifetime and format. They are assigned to security domains andapply to all tokens assigned to users managed by a given security domain. If a userputs the wrong tokencode in a specified number of times, they will be locked out.

4: Managing Users

33

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Unlock a User in the User Dashboard

Locked out users cannot authenticate until they are unlocked.The lockout policy specifies the number of failed authentication attempts allowedbefore the system locks the account. The user might be locked out after a series ofincorrect tokencodes or next tokencodes.If the lockout policy is configured to unlock a user after a certain period of time, theuser will be unlocked when the time expires. The user will show as Locked on theUsers page and in the User Dashboard. The user will show as True (locked) in theLocked Out field in reports until the next successful authentication.Procedure

1. In the Security Console, go to the Home page.

2. Use Quick Search to find the user.3. Select the user you want to unlock.4. Under User Profile, click Unlock.

5. When prompted, click Unlock User to confirm.

Assign a User Alias in the User Dashboard

A logon alias allows users to authenticate with their RSA SecurID token using UserIDs other than their own.Before You Begin

Before you assign a user alias, your Super Admin should have done the following:

34

Included a restricted or unrestricted agent in your deployment.

4: Managing Users

RSA Authentication Manager 8.1 Help Desk Administrators Guide

If you plan to configure a logon alias, the user must belong to a user group that hasaccess to a restricted agent or has been enabled on an unrestricted agent.

Procedure

1. In the Security Console, go to the Home page.

2. Use Quick Search to find the user.3. Select the user to which you want to assign an alias.4. Under User Profile, click Authentication Settings.

5. Under Authentication Settings, select whether you want to allow users to usetheir own User IDs or an alias.6. Select the user group to which you want to assign the alias.7. In the User ID field, enter the User ID that you want to assign to the alias.8. In the Shell field, enter the shell that you want assigned to the alias.9. If your deployment uses RADIUS, from the RADIUS Profile drop-down menu,select the RADIUS profile to assign to the alias.10. Click Add.11. Click Save.

Change a User's Password in the User Dashboard

You can change passwords for users whose accounts are in the internal database. Youmight perform this task if the security of the old password has been compromised.Procedure

1. In the Security Console, go to the Home page.

2. Use Quick Search to find the user.

4: Managing Users

35

RSA Authentication Manager 8.1 Help Desk Administrators Guide

3. Select the user whose password you need to change.

4. Under User Profile, click Edit User.5. In the Password section, enter the new password in the Password field.6. Enter the new password again in the Confirm Password field.7. Click Save.

Require a User to Change a Password using the User Dashboard

If a user's identity source is the internal database, you can force the user to change hisor her password the next time the user logs on.Procedure

1. In the Security Console, go to the Home page.

2. Use Quick Search to find the user.3. Select the user whose password needs to be changed.4. Under User Profile, click Edit User.5. In the Password section, select Require user to change password at next logon.6. Click Save.

Managing Security Questions

Security questions is an authentication method that requires users to answer questionsin order to authenticate. During enrollment or when users access the Self-ServiceConsole for the first time, users are presented with several questions, which they mustanswer. Later when users authenticate, the users must answer a subset of thesequestions with the same answers that they provided during enrollment.Security questions are used under the following conditions:

when the primary authentication method results in a failed authentication

to confirm identity for risk-based authentication (RBA)

If you want to allow users to change their answers, you must clear their existinganswers. For example, you might need to do this when users forget their answers, orwhen users believe that their answers are compromised. After you clear a usersanswers, the user is prompted to provide new answers at the next logon.For self-service troubleshooting, the number of available questions must exceed thenumber of questions required for authentication.

36

4: Managing Users

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Set Requirements for Security Questions

You specify the number of security questions that users must answer duringenrollment or when they access the Self-Service Console for the first time, and thenumber of questions that users must answer correctly during authentication. If thetotal number of security questions specified for enrollment exceeds the number ofquestions specified for authentication, the user can choose which questions to answerfor authentication.Procedure

1. In the Security Console, click Setup > System Settings.

2. Click Security Questions Requirements.3. In the Enrollment field, specify the number of questions users must answerduring enrollment. Modifying this setting does not affect users who are currentlyenrolled.4. In the Authentication field, specify the number of questions users must answercorrectly during authentication.5. Click Save.

Clear Security Question Answers in the User Dashboard

You can clear the answers for a particular users security questions. For example, youmight do this if the user forgot the answers, or if the security of the answers wascompromised in some way. After answers are cleared, the user must provide newanswers in order to use security questions for self-service troubleshooting.Before You Begin

Make sure that the user configured security questions with answers.Procedure

1. In the Security Console, go to the Home page.

2. Use Quick Search to find the user.3. Select the user you want to edit.4. Under User Profile, click Edit User.

Manage User Authentication Settings in the User Dashboard

You must have a restricted or unrestricted agent. If you plan to configure a logon alias,the user must belong to a user group that has access to a restricted agent or has beenenabled on an unrestricted agent.Procedure

1. In the Security Console, go to the Home page.

2. Use Quick Search to find the user.3. Select the user whose authentication settings you want to manage.

38

4: Managing Users

RSA Authentication Manager 8.1 Help Desk Administrators Guide

4. Under User Profile, click Authentication Settings.

5. Edit the users authentication settings.

6. Click Save.

View Accessible Agents in the User Dashboard

You can view up to 50 restricted and unrestricted agents the selected user can access.For restricted agents, the user can authenticate within the designated access times. Youcan search these agents by hostname.Procedure

1. In the Security Console, go to the Home page.

2. Use Quick Search to find the user.3. Select the user whose recent authentication you want to view.4. Under Accessible Agents, the agents accessible to the user are listed.

5. (Optional) Search for an agent by hostname.

4: Managing Users

39

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Managing User Groups

User GroupsA user group is a collection of users, other user groups, or both. Users and user groupsthat belong to a user group are called member users and member user groups.Grouping users makes it easy to manage access to protected resources. Users can begrouped according to your organizational needs.

Add a User Group

You can add user groups to the internal database. You do not need to add a user groupthat already exists in an external identity source. Groups in external identity sourcesare added when the identity source is linked.Procedure

1. In the Security Console, click Identity > User Groups > Add New.2. From the Security Domain drop-down list, select the security domain to whichyou want to assign the new user group. The new user group is managed byadministrators whose administrative scope includes this security domain.3. In the User Group Name field, enter a unique name for the user group. Do notexceed 64 characters. The characters & % > < are not allowed.4. Click Save.

Edit User Groups

You can edit user groups for users whose accounts are in the internal database. Editinga user group allows you to change information such as the user group's name andsecurity domain.Before You Begin

If a user group resides in an external LDAP identity source, you can edit the followingfields only:

Security Domain

Notes

Procedure

1. In the Security Console, click Identity > User Groups > Manage Existing.2. Select the user group that you want to edit, and click Edit.3. Make the necessary changes to the user group.

5: Managing User Groups

41

RSA Authentication Manager 8.1 Help Desk Administrators Guide

4. Click Save.If you have not saved your edits, you can click Reset to reset the user group to beas it was before you began editing.

View User Group Members

You can view users who are organized into user groups based on criteria such asgeographic location or job title.Procedure

1. In the Security Console, click Identity > User Groups > Manage Existing.2. Click the user group, and select Member Users.3. Use the search fields to search for all users.

Add a User to a User Group in the User Dashboard

You can add users from any identity source to one or more user groups in the internaldatabase. To add users to a group in an external LDAP identity source you must use atool appropriate for the directory.You can organize users into user groups based on criteria such as geographic locationor job title. You can also restrict which agents the user members can use toauthenticate and the times that they can authenticate through the agent.Procedure

1. In the Security Console, go to the Home page.

2. Use Quick Search to find the user.3. Select the user you want to add to a user group.4. Under User Group Membership, click Add User to Group(s).

42

5: Managing User Groups

RSA Authentication Manager 8.1 Help Desk Administrators Guide

5. When prompted, search for a user group.

6. Select the user group or groups to which you want to add the user.7. Click Add to Group(s).

View User Group Memberships for a User in the User Dashboard

Use the Security Console to view the user groups in which a user has membership.The Security Console cannot display a user's primary Active Directory group, such asDomain Users. The group appears empty even though it has members.Procedure

1. In the Security Console, go to the Home page.

2. Use Quick Search to find the user.3. Select the user whose user group memberships you want to view.4. Under User Group Membership, the user group memberships for the user arelisted.

5: Managing User Groups

43

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Managing RSA SecurID Tokens

RSA SecurID Tokens Overview

RSA SecurID tokens offer two-factor authentication by generating a 6-digit or 8-digittokencode at regular intervals. When the tokencode is combined with a personalidentification number (PIN), the result is called a passcode. Users enter the passcodeto verify their identity to resources protected by Authentication Manager. IfAuthentication Manager validates the passcode, the user is granted access. Otherwise,the user is denied access.There are two kinds of SecurID tokens, hardware tokens and software tokens.Hardware and software tokens require similar administrative tasks. You can performmany token-related administrative tasks with the User Dashboard in the SecurityConsole.

Import a Token Record File

RSA manufacturing provides an XML file that contains the token records that yourorganization has purchased. Before you can work with individual token records, youmust import the token record XML file into Authentication Manager.For hardware tokens, each token record in the file corresponds to a hardware tokenthat your organization has purchased.For software tokens, token record data will eventually be transferred into a softwaretoken application. Each token record contains the token seed and metadata such as thetoken serial number, expiration date, and the tokencode length and interval.Before You Begin

Decide which security domain will own the imported tokens. The security domainmust be in the administrative scope of the administrator who will deploy andmanage the tokens.

Your administrative role must permit you to manage tokens.

Procedure

1. In the Security Console, click Authentication > SecurID Tokens > ImportTokens Job > Add New.2. Enter a name for the import job. The job is saved with this name so that you canreview the details of the job later. The name must be from 1 to 128 characters. Thecharacters & % > < are not allowed.

6: Managing RSA SecurID Tokens

45

RSA Authentication Manager 8.1 Help Desk Administrators Guide

3. From the Security Domain drop-down menu, select the security domain intowhich you want to import the tokens. The tokens are managed by administratorswhose scope includes this security domain. By default, tokens are imported intothe top-level security domain.4. Browse to select the token files that you want to import.5. In the File Password field, enter a password if the file is password protected.6. Use the Import Options radio buttons to specify handling for duplicate tokens.7. Click Submit Job.Next Steps

Assign and Distribute a Software Token to a User Using File-Based Distribution

in the User Dashboard on page 51.

Assign and Distribute a Software Token to a User Using Dynamic Seed

Provisioning in the User Dashboard on page 57.

Assign a Hardware Token to a User in the User Dashboard on page 46.

Assign a Hardware Token to a User in the User Dashboard

Before a user can use a hardware token to authenticate, you must assign the token tothe user. You can assign up to three tokens to a single user. RSA recommends that youdo not assign more than one hardware token to a user as this may increase thelikelihood that users will report a lost or stolen token.Before You Begin

Import a token record file. For instructions, see Import a Token Record File onpage 45.Procedure

1. In the Security Console, go to the Home page.

2. Use Quick Search to find the user.3. Select the user to whom you want to assign a hardware token.

6: Managing RSA SecurID Tokens

RSA Authentication Manager 8.1 Help Desk Administrators Guide

5. Select a token from the list or search for a token in the search bar.6. Click Assign Token(s).Next Steps

Distribute a Hardware Token on page 48

Assign Hardware Tokens to Multiple Users

Before users can use hardware tokens to authenticate, you must assign the tokens tothe users. You can assign up to three tokens to a single user.Before You Begin

See Import a Token Record File on page 45.

Procedure

1. In the Security Console, click Identity > Users > Manage Existing.2. Use the search fields to find the users to whom you want to assign tokens.3. From the search results, select the checkboxes next to the users to whom you wantto assign tokens.4. From the Action menu, click Assign SecurID Tokens.5. Click Go.6. From the list of available RSA SecurID tokens, select the checkbox next to thehardware tokens that you want to assign.Note: The number of selected tokens must equal the number of selected users.

7. Click Assign.

6: Managing RSA SecurID Tokens

47

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Next Steps

Distribute a Hardware Token on page 48

Distribute a Hardware Token

Before a user can use a hardware token to authenticate, you must distribute the tokento the user.Before You Begin

Assign a hardware token to a user.

Procedure

Do one of the following:

If users are located within close proximity, instruct the users to physically collectthe tokens.

If your organization is large and geographically dispersed, distribute tokens by

mail.

Software Token Profiles

Software token profiles specify software token configurations and distributionprocesses. A software token profile is required for each platform for which you plan todistribute software tokens. Only a Super Admin can add software token profiles to thedeployment. Software token profiles are available to the entire deployment and are notspecific to a security domain.Device Definition FileA device definition file is an XML file that defines the capabilities and attributes ofsoftware tokens used on a specific platform, for example, the Android platform or theiOS platform. The file identifies the supported tokencode characteristics, the tokentype, whether the token is CT-KIP capable, CT-KIP link format, whether the token isCTF capable, and the supported binding attributes.When RSA releases applications for new software token types, the applications oftenrequire new device definition files. You must import the new device definition filewhen you create a software token profile using the new token type. To determinewhether you need to import a new device definition file, see the Administrator's Guidefor your software token application.

48

6: Managing RSA SecurID Tokens

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Software Token Configuration

RSA SecurID software tokens are factory-set as PINPad PIN type (PIN integratedwith tokencode), 8-digit tokencode length, and 60-second tokencode interval.However, you can configure the tokencode interval, PIN type, and tokencode length ofsoftware tokens for each software token profile that you create. Depending onconfiguration options set in the device definition file, you can set the tokencode lengthto 6 or 8 digits and the tokencode interval to 30 or 60 seconds. You can change the PINtype so that the token behaves like a hardware fob. You can also reconfigure the tokento be tokencode only.Software Token Delivery MethodsThe following methods are available for providing token data to a software tokenapplication:Dynamic Seed Provisioning (CT-KIP). The dynamic seed provisioning methoduses the four-pass Cryptographic Token Key Initialization Protocol (CT-KIP) toexchange information between an RSA SecurID client application running on amobile device, desktop, or desktop, and the CT-KIP server, which is a componentof the Authentication Manager server. The information exchanged between theclient and server is used to generate a unique shared secret (token seed).Information critical to the seed generation is encrypted during transmission usinga public-private key pair. The generated token seed value is never transmittedacross the network. Dynamic seed provisioning is preferred over file-basedprovisioning because the four-pass protocol prevents the potential interception ofthe token's seed during the provisioning process.If you configured activation codes to expire, a user must provide the activationcode to the client application before the code expires. If the activation code is notused before the expiration time, you must redistribute the token, and provide theCT-KIP URL and the new activation code to the user.The four-pass CT-KIP protocol is initiated by a request from the client applicationto the CT-KIP server when the user selects an import token option on the clientdevice. Dynamic seed provisioning uses a unique one-time provisioningactivation code to ensure that the request is legitimate The client application mustbe provided with the activation code, either through manual user entry or as partof a URL string sent to the user's device e-mail. The CT-KIP server evaluates theactivation code, and if the server determines that the request is valid, the four-passprocess continues, ultimately resulting in a successful import operation.File-Based Provisioning. With file-based provisioning, Authentication Managergenerates token data contained within a file, which is added to a ZIP file fordownload. Software token files provisioned using this method have the extension.sdtid. The data in the token file includes the seed used by the SecurID algorithmand other metadata, including the token serial number, expiration date, number ofdigits in the tokencode, and so on. To protect the seed against attack, the seed isencrypted using the AES encryption algorithm and an optional password that youcan assign during the configuration process. RSA recommends protectingfile-based tokens with a strong password that conforms to guidelines provided inthe RSA Authentication Manager 8.1 Security Configuration Guide.

6: Managing RSA SecurID Tokens

49

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Compressed Token Format (CTF) Provisioning. E-mail programs on some

mobile device platforms cannot interpret .sdtid file attachments. In such cases,you can deliver file-based tokens using Compressed Token Format (CTF).Authentication Manager generates token data in the form of a CTF URL string,which you deliver to the user's device by e-mail as a URL link. CTF URL stringscontain the encoded token data needed by the software token application. Thisencoded data includes the seed used by the SecurID algorithm and other metadata,including the token serial number, expiration date, number of digits in thetokencode, and so on. The URL format signals the device that the URL linkcontains data relevant to the software token application. RSA recommendsprotecting CTF format tokens with a strong password that conforms to guidelinesprovided in the RSA Authentication Manager 8.1 Security Configuration Guide.Device AttributesDevice attributes are used to add information to software tokens. You can use theDeviceSerialNumber field to restrict the installation of a token to a device platformor to a specific device. The default DeviceSerialNumber value associated with thedevice type binds the token to a specific platform. Binding to a device platform allowsthe user to install the token on any device that runs on that platform, for example, anysupported Android device. The user cannot install the token on a different platform,such as Apple iOS.For additional security, you can bind a token to a single, device-specific identificationnumber, for example, a separate, unique device ID assigned by the RSA SecurIDsoftware token application. In this case, the token can only be installed on the devicethat has the device-specific ID. If a user attempts to import the token to any otherdevice, the import fails. You must bind tokens before you distribute them. In somecases, you must obtain the device binding information from the user. The user mustinstall the software application before providing the binding information. For moreinformation, see your RSA SecurID software token documentation.The Nickname field allows you to assign a user-friendly name to the token. When thetoken is installed into the application on the device, the application displays the tokennickname. If you do not assign a nickname, the application displays a default name,for example, the token serial number. Not all software token applications supportnicknames.

Assign Software Tokens to Multiple Users

Before users can use software tokens to authenticate, you must assign the tokens to theusers, and then deliver the token to the users.Procedure

1. In the Security Console, click Identity > Users > Manage Existing.2. Use the search fields to find the user to whom you want to assign tokens.3. From the search results, select the checkboxes next to the users to whom you wantto assign tokens.4. From the Action menu, click Assign SecurID Tokens.

50

6: Managing RSA SecurID Tokens

RSA Authentication Manager 8.1 Help Desk Administrators Guide

5. Click Go.6. From the list of available RSA SecurID tokens on the Assign to Users page, selectthe checkbox next to the software tokens that you want to assign to the users.Remember which tokens you assign so you can deliver them later.Note: The number of selected tokens must equal the number of selected users.

7. Click Assign.Next Steps

Deliver the tokens using one of the following methods:

For file-based provisioning, save a software token to a file and electronically

deliver it to the user's device. For instructions, see Distribute Multiple SoftwareTokens Using Dynamic Seed Provisioning (CT-KIP) on page 58.

For the CT-KIP protocol, use dynamic seed provisioning to deploy a softwaretoken on a user's device. For instructions, see Assign and Distribute a SoftwareToken to a User Using Dynamic Seed Provisioning in the User Dashboard onpage 57.

Assign and Distribute a Software Token to a User Using File-Based

Distribution in the User DashboardBefore a user can use a software token to authenticate, you must assign the token tothe user. You can assign up to three tokens to a single user.Software token files provisioned using file-based distribution have the.SDTIDextension. The data in the token file includes the seed used by the SecurID algorithm,and other metadata such as expiration date, serial number, and number of digits in thetokencode.Before You Begin

Confirm the following:

Software tokens have been imported.

Software token profiles have been added.

Procedure

1. In the Security Console, go to the Home page.

2. Use Quick Search to find the user.3. Select the user to whom you want to assign a token.

6: Managing RSA SecurID Tokens

51

RSA Authentication Manager 8.1 Help Desk Administrators Guide

5. Select a token from the list or search for a token in the search bar.6. Click Assign Token(s).7. From the Select Token Profile drop-down list, select a software token profile withfile-based provisioning as the delivery method.8. In the Device Serial Number field, leave the default selection or enter theappropriate device information.9. (Optional) In the Nickname field, enter a user-friendly nickname for the softwaretoken, if supported.10. You can choose to Password Protect the token file. The following options areavailable:

Password. Enter a password of your choice. This password applies to all

software tokens in the token distribution file. A password can be up to 24characters long.

No password. The user does not enter a password.

User ID. The user enters his or her User ID.

Combination User ID followed by Password. The user enters his or her

User ID and the password that you set. The User ID and passwordcombination can be up to 24 characters long.

11. If you select Password or Combination, choose a password, and enter it in thePassword and Confirm Password fields.12. Click Save and Distribute.13. Click Download Now.Next Step

Save a software token to a file and electronically deliver it to the user's device.

52

6: Managing RSA SecurID Tokens

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Distribute Multiple Software Tokens Using File-Based Provisioning

When you distribute software tokens using file-based provisioning, token data isstored in a token distribution file (SDTID file). The SDTID file is added to a ZIP filefor download.Before You Begin

Instruct users to install the software token application on their devices. Forinstallation instructions, see the Administrator's Guide for your software tokenapplication.

Your Super Admin must add a software token profile.

Assign tokens to users.

Important: When you redistribute tokens using this method, any existing users ofthese tokens may no longer be able to authenticate. Users must import the new tokendata before they can authenticate.Procedure

1. In the Security Console, click Authentication > SecurID Tokens > DistributeSoftware Tokens in Bulk > Generate Software Token Files.2. In the Job Name field, enter a name for the job, or accept the default name. Thejob is saved with this name so that you can review the details of the job later. Entera unique name from 1 to 128 characters. The characters & % > < are not allowed.3. From the Software Token Profile drop-down list, select a software token profilewith file-based provisioning as the delivery method.4. In the DeviceSerialNumber field, do one of the following:

To bind the token to the device class, leave the default setting.

To bind the token to a specific device, clear the field and enter the device IDyou obtained from the user.

5. Enter a nickname or leave the Nickname field blank.

6. You can choose to Password Protect the token file. The user must enter thepassword when adding the token to the SecurID application on the device. Selectan option:

Password. Enter a password of your choice. This password applies to all

software tokens in the token distribution file. A password can be up to 24characters long for 128-bit tokens and 8 characters long for 64-bit tokens.

No password. The user does not enter a password.

User ID. The user enters his or her user ID.

Combination User ID followed by Password. The user enters his or her userID and the password that you set. The user ID and password combination canbe up to 24 characters long for 128-bit tokens and 8 characters long for 64-bittokens.

6: Managing RSA SecurID Tokens

53

RSA Authentication Manager 8.1 Help Desk Administrators Guide

7. If you selected Password, enter the password in the Password and ConfirmPassword fields.8. Click Next.9. Enter the token selection criteria to find the tokens that you want to distribute. Forexample, enter the range of serial numbers for the tokens that you want todistribute.10. Click Next.11. Review the distribution summary and click Submit Job.12. Click the Completed tab to view completed jobs.13. From the context menu, click Download Output File.14. Save the output file to your machine.15. Safely deliver the token files to users.

Distribute One Software Token Using Compressed Token Format

(CTF)When you distribute a software token using Compressed Token Format (CTF), yougenerate a URL, which you deliver to the user. This URL contains the token dataneeded by the software token application.Before You Begin

Instruct users to install the software token application on their devices. Forinstallation instructions, see the documentation for the software token application.

Add a Software Token Profile. Only a Super Admin can add software tokenprofiles.

Procedure

1. In the Security Console, click Authentication > SecurID Tokens > ManageExisting.2. Click the Assigned tab.3. Use the search fields to find the software token that you want to distribute.4. From the search results, click the software token that you want to distribute.5. From the context menu, click Distribute.6. From the Select Token Profile drop-down list, select a software token profile withCompressed Token Format (CTF) as the delivery method.7. In the DeviceSerialNumber field, do one of the following:

54

To bind the token to the device class, leave the default setting.

To bind the token to a specific device, clear the field and enter the device IDyou obtained from the user.

6: Managing RSA SecurID Tokens

RSA Authentication Manager 8.1 Help Desk Administrators Guide

8. Enter a nickname or leave the Nickname field blank.

9. You can choose to Password Protect the token file. The following options areavailable:

Password. Enter a password of your choice. This password applies to all

software tokens in the token distribution file. A password can be up to 24characters long for 128-bit tokens and 8 characters long for 64-bit tokens.

No password. The user does not enter a password.

User ID. The user enters his or her user ID.

Combination User ID followed by Password. The user enters his or her userID and the password that you set. The user ID and password combination canbe up to 24 characters long for 128-bit tokens and 8 characters long for 64-bittokens.

10. If you select Password or Combination, create a password, and enter it in thePassword and Confirm Password fields.11. Click Save and Distribute.12. Copy the CTF URL and safely deliver it to the user.Note: If you navigate away from this page before you copy the CTF URL, you

must perform the distribution process from the beginning to generate a new URL.13. Instruct the user on how to import the token. For more information, see thesoftware token Administrator's Guide for your platform.

Distribute Multiple Software Tokens Using Compressed Token

Format (CTF)When you distribute software tokens using Compressed Token Format (CTF), yougenerate a URL, which you deliver to the user. This URL contains the token dataneeded by the software token application.Before You Begin

Instruct users to install the software token application on their devices. Forinstallation instructions, see the documentation for the software token application.

Add a Software Token Profile. Only a Super Admin can add software tokenprofiles.

Important: If you use this method to redistribute existing tokens, the users of these

tokens cannot authenticate until they import the new token data.

6: Managing RSA SecurID Tokens

55

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Procedure

1. In the Security Console, click Authentication > SecurID Tokens > DistributeSoftware Tokens in Bulk > Generate Compressed Token Format Credentials.2. In the Job Name field, enter a name for the job, or accept the default name. Thejob is saved with this name so that you can go back and review the details of thejob later. The name must be a unique name containing 1 to 128 characters. Thecharacters & % > < are not allowed.3. From the Software Token Profile drop-down list, select a software token profilewith CTF as the delivery method.4. In the DeviceSerialNumber field, do one of the following:

To bind the token to the device class, leave the default setting.

To bind the token to a specific device, clear the field and enter the device IDyou obtained from the user.

5. Enter a nickname or leave the Nickname field blank.

6. You can choose to Password Protect the token file. The following options areavailable:

Password. Enter a password of your choice. This password applies to all

software tokens in the token distribution file. A password can be up to 24characters long for 128-bit tokens and 8 characters long for 64-bit tokens.

No password. The user does not enter a password.

User ID. The user enters his or her user ID.

Combination User ID followed by Password. The user enters his or her userID and the password that you set. The user ID and password combination canbe up to 24 characters long for 128-bit tokens and 8 characters long for 64-bittokens.

7. If you select Password or Combination, create a password, and enter it in the

Password and Confirm Password fields.8. Click Next.9. Enter the token selection criteria to find the tokens that you want to distribute. Forexample, enter the range of serial numbers for the tokens that you want todistribute.10. Click Next.11. Review the distribution summary and click Submit Job.12. Click the Completed tab to view completed jobs.13. Click the job with which you want to work.14. From the context menu, click Download Output File.15. Save the output file to your machine.16. Open the output file, copy the CTF URLs and safely deliver them to the users.17. Instruct users on how to import the token. For more information, see the softwaretoken Administrator's Guide for your platform.

56

6: Managing RSA SecurID Tokens

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Assign and Distribute a Software Token to a User Using Dynamic

Seed Provisioning in the User DashboardBefore a user can use a software token to authenticate, you must assign and distributethe token to the user. You can assign up to three tokens to a single user.Authentication Manager provides dynamic seed provisioning, which uses theCryptographic Token Key Initialization Protocol (CT-KIP) to generate token datawithout the need for a token file. After you complete the provisioning steps,Authentication Manager displays the URL link of the CT-KIP server and the tokenactivation code. You need these two pieces of information in order to deliver the tokento a device as a URL.Before You Begin

Confirm the following:

Software tokens have been imported.

Software token profiles have been added.

Procedure

1. In the Security Console, go to the Home page.

2. Use Quick Search to find the user.3. Select the user to whom you want to assign a token.4. Under Assigned SecurID Tokens, click Assign More Tokens > Assign SoftwareTokens.

5. Select a token from the list or search for a token in the search bar.6. Click Assign Token(s).7. From the Select Token Profile drop-down list, select a software token profile withdynamic seed provisioning as the delivery method.8. In the Device Serial Number field, leave the default selection or enter theappropriate device information.

Copy the information into e-mail that you encrypt.

Instruct users to install the software token application on their devices. Forinstallation instructions, see the documentation for the software token application.

Your Super Admin must add a software token profile.

Assign tokens to users.

RSA recommends that you replace the default certificates in Authentication

Manager with trusted certificates. If you do not replace the default certificates,end users are prompted to accept untrusted certificates before proceeding. If youwant to use dynamic seed provisioning with CT-KIP, you must have a trustedcertificate on the Authentication Manager server or web-tiers.

Important: When you redistribute tokens using this method, any existing users of

these tokens may no longer be able to authenticate. Users must import the new tokendata before they can authenticate.

58

6: Managing RSA SecurID Tokens

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Procedure

1. In the Security Console, click Authentication > SecurID Tokens > DistributeSoftware Tokens in Bulk > Generate Dynamic Seed Provisioning Credentials.2. In the Job Name field, enter a name for the job, or accept the default name. Thejob is saved with this name so that you can review the details of the job later. Thename must be a unique name from 1 to 128 characters. The characters & % > <are not allowed.3. From the Software Token Profile drop-down list, select a software token profilewith dynamic seed provisioning as the delivery method.4. In the DeviceSerialNumber field, do one of the following:

To bind the token to the device class, leave the default setting.

To bind the token to a specific device, clear the field and enter the device IDyou obtained from the user.

5. Enter a nickname or leave the Nickname field blank.

6. Click Next.7. Enter the token selection criteria to find the tokens that you want to distribute. Forexample, enter the range of serial numbers for the tokens that you want todistribute.8. Click Next.9. Review the distribution summary and click Submit Job.10. Click the Completed tab to view completed jobs.11. Click the job with which you want to work.12. From the context menu, click Download Output File.13. Save the output file to your machine.14. Open the output file, copy the activation codes and CT-KIP URL and safelydeliver them to the users.Note: When you download the output file, some spreadsheet applications will

remove the leading zeroes from the activation codes. To import activation codessuccessfully, open the file in an application that does not remove any characters,such as a text editor, to copy the activation code accurately.15. Instruct users on how to import tokens.If you configured activation codes to expire, advise users to import tokens beforethe expiration time. If the activation codes are not used before the expiration time,you must redistribute the tokens, and provide the CT-KIP URL and the newactivation codes to users.For more information, see the software token Administrator's Guide for yourplatform.

6: Managing RSA SecurID Tokens

59

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Enable a Token in the User Dashboard

Before a user can use an assigned token to authenticate, you must enable the token.Procedure

1. In the Security Console, go to the Home page.

2. Use Quick Search to find the user.3. Select the user whose token you want to enable.4. Under Assigned SecurID Tokens, click the token you want to enable.5. Click the arrow next to Disable and then click Enable.

6. When prompted, click Enable Token(s).

Disable a Token in the User Dashboard

When you disable a token, the assigned user can no longer use the token toauthenticate. You might choose to disable a token if a user is out of the office for anextended period of time.Procedure

1. In the Security Console, go to the Home page.

2. Use Quick Search to find the user.3. Select the user whose token you want to disable.4. Under Assigned SecurID Tokens, click the token you want to disable.

60

6: Managing RSA SecurID Tokens

RSA Authentication Manager 8.1 Help Desk Administrators Guide

5. Click Disable.

6. When prompted, click Disable Token(s).

Delete a TokenWhen you delete a token, the token is removed from the internal database and can nolonger be assigned. If it is already assigned to a user, the user cannot use the token toauthenticate.Procedure

1. In the Security Console, click Authentication > SecurID Tokens > Manage2. Existing.3. Click the Assigned or Unassigned tab, depending on whether the tokens youwant to delete are assigned to a user or are unassigned.4. Use the search fields to find the token that you want to delete.5. From the Search results, select the checkbox next to the token or tokens that youwant to delete.6. From the Action menu, click Delete.7. Click Go.8. Click OK in the delete dialog box to confirm deletion.

View a TokenYou can view all tokens that have been imported to security domains included in thescope of your administrative role. You can view both assigned and unassigned tokens.Procedure

6: Managing RSA SecurID Tokens

61

RSA Authentication Manager 8.1 Help Desk Administrators Guide

2. Click the Assigned and Unassigned tabs to alternately view assigned andunassigned tokens respectively.3. Use the search fields to find the token that you want to view.4. From the context menu, select View.

Replace a Token for a User in the User Dashboard

Occasionally, you must assign a new token to a user. For example, you must assign anew token to a user whose existing token has been permanently lost or destroyed. Auser also needs a new token if his or her current token has expired.Replaced tokens are either unassigned or deleted from the deployment, depending onyour configuration.Procedure

1. In the Security Console, go to the Home page.

2. Use Quick Search to find the user.3. Select the user whose token you want to replace.4. Under Assigned SecurID Tokens, click the token you want to replace.5. Click the arrow next to the Edit button and select Replace.

6. Select a token from the list or search for a token in the search bar.7. Click Replace Token.

62

6: Managing RSA SecurID Tokens

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Resynchronize a Token in the User Dashboard

A token must be resynchronized when the tokencode displayed on the token does notmatch the tokencode generated by Authentication Manager. When the tokencodes donot match, authentication attempts fail. Depending on your configuration, users canresynchronize tokens with the Self-Service Console.Before You Begin

You need access to the tokencodes. The user can read tokencodes to you over thephone.Procedure

1. In the Security Console, go to the Home page.

2. Use Quick Search to find the user.3. Select the user whose token you want to resynchronize.4. Under Assigned SecurID Tokens, click the token you want to resynchronize.5. Click the arrow next to the Edit button and select Resynchronize Token.

6. Type the current tokencode.

7. Type the next tokencode.8. Click Resynchronize.

6: Managing RSA SecurID Tokens

63

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Unassign a Token from a User in the User Dashboard

When you unassign a token, the user can no longer use the token to authenticate andthe token is disabled. If you reassign the token to another user, it is automaticallyre-enabled.Procedure

1. In the Security Console, go to the Home page.

2. Use Quick Search to find the user.3. Select the user whose token you want to unassign.4. Under Assigned SecurID Tokens, click the token you want to unassign.5. Click the arrow next to the Edit button and click Unassign.

6. When prompted, click Unassign Token.

64

6: Managing RSA SecurID Tokens

RSA Authentication Manager 8.1 Help Desk Administrators Guide

On-Demand Authentication

On-Demand AuthenticationOn-demand authentication (ODA) is a service that allows users to receive on-demandtokencodes delivered by text message or e-mail. You can use ODA to protectweb-based resources, such as an SSL-VPN, thin client, or web portal.When a user logs on to an agent with a valid PIN, the system sends a tokencode to theuser by either text message or e-mail. The user is prompted for the tokencode to gainaccess to the protected resource.

Enable On-Demand Authentication for a User in the User Dashboard

On-demand authentication (ODA) delivers a one-time tokencode to a users mobilephone or e-mail account. On-demand tokencodes expire after a specified time period,enhancing their security. You can use ODA to protect web-based resources, such as anSSL-VPN, thin client, or web portal.Enable ODA for users so that they can receive on-demand tokencodes.Before You Begin

On-demand tokencode delivery must be configured for your deployment.

Procedure

1. In the Security Console, go to the Home page.

2. Use Quick Search to find the user.3. Select the user for whom ODA must be enabled.4. Under On-Demand Authentication (ODA), click Manage.5. For Enable User, select Enable user for on-demand authentication.6. (Optional) Set an expiration date for the on-demand tokencode.7. Enter the users mobile phone number.8. Use the Associated PIN options to specify how the user's initial PIN is created.Create an initial PIN if necessary.9. Click Save.

7: On-Demand Authentication

65

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Enable Users to Set Initial On-Demand Authentication PINs in the

User DashboardUsers need a PIN before attempting to use on-demand authentication (ODA) to accessa protected resource. You can either set the initial PIN for the user or you can enableusers to set their initial PINs and thus relieve administrators of this task.Procedure

1. In the Security Console, go to the Home page.

2. Use Quick Search to find the user.3. Select the user for whom ODA must be enabled.4. Under On-Demand Authentication (ODA), click Manage.5. For Enable User, select Enable user for on-demand authentication.6. Select Require user to set the PIN through the RSA Self-Service Console.7. Click Save.

Clear a User's On-Demand Authentication PIN in the User

DashboardYou might clear a user's on-demand authentication (ODA) PIN when the PIN iscompromised, forgotten, or when your company policy requires the PIN change. Youmust always set a temporary PIN when you clear a user's PIN because ODA requires aPIN.The user must change a temporary PIN the first time it is used.Procedure

1. In the Security Console, go to the Home page.

2. Use Quick Search to find the user.3. Select the user you whose ODA PIN you need to clear.4. Under On-Demand Authentication (ODA), click Manage.5. In Associated PIN, select Clear existing PIN and set temporary PIN for theuser.6. Enter a new PIN.7. Click Save.

66

7: On-Demand Authentication

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Disable On-Demand Authentication for a User in the User

DashboardDisable on-demand authentication (ODA) for a user when you no longer want to allowthe user to request on-demand tokencodes. You can do this, for example, when userswho needed temporary access no longer need it.Procedure

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Online Emergency Access

You can provide emergency access for users with misplaced, lost, stolen, or damagedtokens through the use of an online emergency access tokencode. There are two typesof online emergency access tokencodes:

Temporary fixed tokencode. Used with the users PIN. You can configure theexpiration date.

One-time tokencode set. A set of tokencodes. Each tokencode can be used onlyonce, and is used with the users PIN.

tokencode is an 8-character alphanumeric code generated by Authentication Manager.Similar to the tokencode that is used under non-emergency circumstances, the onlineemergency access tokencode is combined with the users PIN to create a passcode.The format of the online emergency access tokencode is determined by the tokenpolicy of the security domain to which it belongs.If the user has an expired token, you need to replace the token, and then providetemporary access. An online emergency access tokencode cannot be assigned to anexpired token.

Assign a Temporary Fixed Tokencode

This procedure provides a user with temporary emergency access using a temporaryfixed tokencode.A temporary fixed tokencode replaces the tokencode generated by the user's token.Similar to the regular tokencode, the temporary fixed tokencode is entered with theuser's PIN to create a passcode. By using a PIN with the temporary fixed tokencode,the user can still achieve two-factor authentication.Procedure

1. In the Security Console, click Authentication > SecurID Tokens > ManageExisting.2. On the Assigned tab, use the search fields to find the lost or destroyed token.3. From the search results, click the lost or destroyed token, and from the contextmenu, select Emergency Access Tokencodes.4. On the Manage Emergency Access Tokencodes page, select Online EmergencyAccess.

8: Emergency Access

69

RSA Authentication Manager 8.1 Help Desk Administrators Guide

5. For Type of Emergency Access Tokencode(s), select Temporary Fixed

Tokencode.6. Click Generate New Code. The tokencode displays next to the Generate NewCode button.7. Record the emergency access tokencode so that you can communicate it to theuser.8. For Emergency Access Tokencode Lifetime, select either No expiration orselect Expire on and specify an expiration date.You may want to limit the length of time the one time tokencode can be used.Because the one-time tokencode is a fixed code, it is not as secure as thepseudorandom number generated by a token.9. For If Token Becomes Available, select one of the following options:

Deny authentication with token.

Select this option if the token is permanently lost or stolen. This optionprevents the token from being used for authentication if recovered. Thissafeguards the protected resources in the event the token is found by anunauthorized individual who attempts to authenticate.

Allow authentication with token at any time and disable online

emergency tokencode.Select this option if the token is temporarily unavailable (for example, theuser left the token at home). When the user recovers the token, he or she canimmediately resume using the token for authentication. The online emergencyaccess tokencode is disabled as soon as the recovered token is used.

Allow authentication with token only after the emergency code lifetimehas expired and disable online emergency tokencode.You can choose this option for misplaced tokens. When the missing token isrecovered, it cannot be used for authentication until the online emergencyaccess tokencode expires.

10. Click Save.

Assign a Set of One-Time Tokencodes

You can provide temporary access for a user whose token has been permanently lostor destroyed by assigning a set of one-time tokencodes. A one-time tokencodereplaces the tokencode generated by the user's missing token. Users must enter theirPIN and a one-time tokencode to perform two-factor authentication.Each one-time tokencode in a set can be used once. A set of tokencodes allows a userto authenticate multiple times without contacting an administrator each time.Procedure

1. In the Security Console, click Authentication > SecurID Tokens > ManageExisting.2. Use the search fields to find the appropriate token.3. From the search results, click the token with which you want to work.

70

8: Emergency Access

RSA Authentication Manager 8.1 Help Desk Administrators Guide

4. From the context menu, click Emergency Access Tokencodes.

5. On the Manage Emergency Access Tokencodes page, select the OnlineEmergency Access checkbox to enable authentication with an online emergencyaccess tokencode.6. Select Set of One-Time Tokencodes.7. Enter the number of tokencodes that you want to generate.8. Click Generate Codes. The set of tokencodes displays below the Generate Codesbutton.9. Record the set of one-time tokencodes so you can communicate them to the user.10. Select one of the following options for the Emergency Access TokencodeLifetime:

No expiration.

Set an expiration date for the tokencode.

11. In the If Token Becomes Available field, configure how Authentication Managerhandles lost or unavailable tokens that become available.

Deny authentication with the recovered token.

If a token is permanently lost or stolen, deny authentication with therecovered token so that it cannot be used for authentication if recovered by anunauthorized individual. This is essential if the lost token does not require aPIN.

Allow authentication with the recovered token while simultaneously disabling

the emergency access tokencode.

Allow authentication with the recovered token only after the emergencyaccess tokencode has expired.

With a misplaced, lost, or stolen token. See Provide an Offline Emergency AccessTokencode on page 72. Users authenticate with their PIN and emergencytokencode.

Who have forgotten their PIN. See Provide an Offline Emergency Passcode in theUser Dashboard on page 72.

8: Emergency Access

71

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Provide an Offline Emergency Access Tokencode

An offline emergency access tokencode replaces the tokencode generated by the user'stoken. Similar to the tokencode used in non-emergency circumstances, the user entersthe offline emergency access tokencode with a PIN to create a passcode, thusachieving two-factor authentication.You can configure the following:

Specify that a new offline emergency access tokencode is downloaded the nexttime the user authenticates online.

Allow the offline emergency access tokencode to be used for online and offlineauthentication.

Before You Begin

The user must have authenticated to an agent that supports offline authenticationand the agent has downloaded days of offline authentication data.

Procedure

1. In the Security Console, click Authentication > SecurID Tokens > ManageExisting.2. Use the search fields to find the token for the user who needs an offline emergencyaccess tokencode.3. From the search results, click the token.4. From the context menu, click Emergency Access Tokencodes.5. On the Manage Emergency Access Tokencodes page, note the Offline EmergencyAccess Tokencode and its expiration date.6. Select Reset Offline Emergency Access Tokencode, if you want the user todownload a new offline emergency access tokencode the next time he or sheauthenticates online. If selected, the new tokencode downloads automatically.7. Click Use offline code for online access, if you want the offline emergencyaccess tokencode used for online authentication.8. Click Save.

Provide an Offline Emergency Passcode in the User Dashboard

Users who forgot their PIN may need an offline emergency passcode. An offlineemergency passcode takes the place of the passcode (PIN + tokencode) that the usernormally enters. The user does not need to possess the token or know the PIN toauthenticate offline.Before You Begin

RSA Authentication Manager 8.1 Help Desk Administrators Guide

The user has authenticated to an agent that supports offline authentication and theagent has downloaded days of offline authentication data.

Procedure

1. In the Security Console, go to the Home page.

2. Use Quick Search to find the user.3. Select the user you want to whom you want to provide a temporary fixedpasscode.4. Under User Profile, click Authentication Settings.5. In Fixed Passcode, select Allow authentication with a fixed passcode.6. In the Fixed Passcode and Confirm Fixed Passcode fields, enter a new passcode.7. Click Save.

8: Emergency Access

73

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Managing RSA SecurID PINs

RSA SecurID PINs

A personal identification number (PIN) is a numeric password used to authenticate auser.Users may be required to create PINs containing both letters and numbers and tochange their PINs at regular intervals. A lost or stolen PIN puts protected resources atrisk. For this reason, you should instruct users to report compromised PINs as soon aspossible.If users forget their PINs, you cannot require them to change their PINS in order toobtain a new one because users need to know their PINs in order to change them.When a user forgets his or her PIN, you must clear the PIN before the user can createa new one. For instructions, see, Clear an RSA SecurID PIN in the User Dashboard onpage 75.Users can also use the Self-Service Console to reset their PINs.

Clear an RSA SecurID PIN in the User Dashboard

When a user forgets a SecurID PIN, you can clear the PIN so that the user can create anew one. When you clear a users PIN, the user can create a new PIN the next time theuser authenticates.For example, suppose a user has forgotten a PIN and calls for help. You verify theusers identity and clear the PIN. You tell the user to enter just the tokencode whenprompted for the passcode the next time user authenticates. After entering thetokencode, the user is prompted to create a new PIN for the users token.Procedure

1. In the Security Console, go to the Home page.

2. Use Quick Search to find the user.3. Select the user whose PIN needs to be cleared.4. Under Assigned SecurID Tokens, click the token with the PIN that needs to becleared.

9: Managing RSA SecurID PINs

75

RSA Authentication Manager 8.1 Help Desk Administrators Guide

5. Click Clear PIN.

6. When prompted, click Clear PIN(s).

Obtain the PIN Unlocking Key for an RSA SecurID 800 AuthenticatorUsers with SecurID 800 authenticators need a PIN unlocking key to access their tokenif they have forgotten their PIN. Use the Security Console to view the smartcarddetails and obtain the PIN unlocking key.Before You Begin

You must load the SecurID 800 authenticator data into RSA Authentication Managerbefore you can view it. page 132Procedure

1. In the Security Console, click Authentication > SecurID Tokens > ManageExisting.2. Click the Assigned tab.3. Use the search fields to find the smartcard that you want to view.4. From the search results, click the smartcard that you want to view.5. From the context menu, click Edit.6. View the SID800 Smart Card Details section to obtain the PIN unlocking key.

76

9: Managing RSA SecurID PINs

RSA Authentication Manager 8.1 Help Desk Administrators Guide

10

RSA Self-Service

RSA Self-ServiceRSA Self-Service is a web-based workflow system that provides user self-serviceoptions and automates the token deployment process. Self-Service has twocomponents:

Self-Service. Users can perform some token maintenance tasks and

troubleshooting without involving administrators. This reduces the time that youneed to spend servicing deployed tokens, such as when users forget their PINs,misplace their tokens, require emergency access, or require tokenresynchronization.

Provisioning. Users can perform many of the steps in the token deploymentprocess, and the system automates the workflow. This reduces administrativeoverhead typically associated with deploying tokens, especially in a large-scaletoken deployment.

Certain tasks related to Self-Service still require administrative assistance. As a Help

Desk Administrator, you may be asked to perform the following tasks:

Clear a Cached Copy of Windows Credentials in the User Dashboard on page 77

Managing Security Questions on page 36

Important: Users can only modify data that is stored in the internal database. Users

cannot use the Self-Service Console to modify data that is stored in an LDAPdirectory, except when a password change is forced.

Clear a Cached Copy of Windows Credentials in the User

DashboardIf Windows password integration is enabled in the offline authentication policy, userscan authenticate with only a Windows user name and an RSA SecurID passcode. Thisfeature causes RSA Authentication Manager to save users Windows passwords,which become invalid if the Windows password has been changed. You can avoid afailed logon attempt by clearing the saved copy of the user's Windows password.Procedure

1. In the Security Console, go to the Home page.

2. Use Quick Search to find the user.3. Select the user whose cached passwords you want to clear.

10: RSA Self-Service

77

RSA Authentication Manager 8.1 Help Desk Administrators Guide

4. Under User Profile, click Authentication Settings.

Managing Authenticators for Self-Service Users

Users can request authenticators and emergency access through the Self-ServiceConsole. You can use the Security Console to manage the types of authenticatorsavailable, emergency access tokencodes, and requests to replace expiring tokens.Hardware Token Types Available for Request. You can select which types oftokens are available, the authentication method, and a default type forSelf-Service users.Software Token Profiles Available for Request. You can select which softwaretoken profiles are available. The software token profile designates theauthentication method and the token delivery method. You can allow users to edittoken attribute details, and to select a default type for Self-Service users.On-Demand Authentication (ODA) Settings. You can allow users to request theODA service as a primary authentication type. You need to configure the ODAsettings to enable provisioning users to request this service.Token File Password Settings. You can require users to provide a password toprotect the software token file.Emergency Access Tokencode Settings. Users whose tokens are temporarily orpermanently unavailable may require emergency access. Self-Service users canobtain emergency access themselves rather than calling the Help Desk. You canconfigure the type of emergency access to make available to users.

78

10: RSA Self-Service

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Expiring Token Parameters. Users can request a replacement token through theSelf-Service Console if a token is about to expire. You can configure the numberof days before expiration that users can make this request. The default is within 30days of expiration.If you want reports about authenticator distribution and use, you can use theAuthentication Manager standard reports or you can create custom reports.

Self-Service Request Management

Self-Service automatically sends e-mail to notify you about user requests that youneed to review. The types of requests are:

Self-Service accounts for new users. A new user is not in a directory server. Usersmust enter user information for an account.

Changes in user group membership

New or additional SecurID tokens

Replace an expired or about to expire SecurID token

Replace a broken or permanently lost SecurID token

On-demand authentication

Approve and Reject User Requests

Self-Service automatically sends e-mail to Request Approvers about user requests.Each approval step requires a unique Request Approver. After you approve a request,Self-Service sends e-mail to the next participant (either a Request Approver or TokenDistributor) in the workflow. If you are the last participant in the workflow,Self-Service sends users an e-mail informing them their request has been accepted orrejected.Procedure

1. In the Security Console, click Administration > Provisioning.

2. Click the Pending tab to see all open user requests. If no requests appear, clickSearch to refresh the screen.3. Click the request you want to work with.4. Complete any missing information, and make any necessary changes to therequest.5. Under Action Required, select an option:

Defer Action - Saves the request without taking any action.

Approve request - Approves the request. When approved, the user receivese-mail indicating that the request has been approved.

Reject request - Rejects the request. When rejected, the user receives e-mailindicating that the request has been rejected.

10: RSA Self-Service

79

RSA Authentication Manager 8.1 Help Desk Administrators Guide

6. (Optional) Add comments to the request. Your comments appear in the e-mail sentto the user when you take action on a request.7. (Optional) Notes. Add any notes that you want to keep about this request. Thesenotes are not sent to the user.8. Click Go.

Search for User Requests

You can search for pending or closed provisioning requests by security domain andidentity source. For example, you might want to know how many requests needapproval.Search results are only returned for the type of user requests for which you search. Forexample, if you search for requests that require approval, you must run a new search toview requests that require distribution or select "All" from the Status drop-downmenu to see all types of requests.Procedure

1. In the Security Console, click Administration > Provisioning.

2. Decide if the request you want to search for is pending or closed, and click theappropriate tab.3. On the Search panel, from the Security Domain drop-down list, select thesecurity domain you want to search.4. From the Identity Source drop-down list, select the identity source of the userwhose request you want to find.5. From the Status drop-down menu, select the type of request you want.6. Use the Where field to select the search criteria. For example, enter User Lastname, starts with and S to search for requests made by the users with lastnames that start with S.7. Click Search.

View User Requests

You can view pending and closed provisioning requests in the Security Console. Forexample, you can view a request to learn its status.Procedure

1. In the Security Console, click Administration > Provisioning.

2. Click the Pending tab to see all open requests, and the Closed tab to see all closedrequests.3. Use the search fields to find the request you want to view.4. Click the request you want to view.

80

10: RSA Self-Service

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Complete User Requests

Self-Service automatically sends e-mail to Request Approvers about user requests thatneed to approval. After the request is approved, Self-Service sends an e-mailnotification to the next participant in the workflow. Each approval step requires aunique Request Approver. To complete a request, a Request Approver may have togive final approval to the request, or distribute a token to a user.Procedure

1. In the Security Console, click Administration > Provisioning.

2. Click the Pending tab to see all open user requests. If no requests display, clickSearch to refresh the screen.3. Click the user request with which you want to work.4. Complete any missing information, and make any necessary changes to therequest.5. Under Action Required, do one of the following.

Select Defer Action and click Submit.

The Provisioning page displays.

Select Approve Request and do one of the following.

If you have distribution steps, click Submit & Continue.

The Properties page displays, where you continue this procedure with step6.

If you have no distribution steps, click Submit.

The Provisioning page displays.

Select Reject Request and click Submit.

The Provisioning page displays.

6. On the Properties page, under Action Required, select Complete action item byindicating how to assign and distribute token and do one of the following:

For hardware tokens:

Under Assignment Method, select the method you want to use to assignthe token:Notify third-party or user to assign token - If you use a third-partydistribution company to distribute tokens, decide how to notify thecompany or users to assign tokens.Assign SecurID token serial number myself - If you assign the tokenyourself, type the hardware token serial number in this field.

Under Distribution Method, select the method you want to use to deliverthe token to the user:Notify third-party to deliver or Deliver the token myself

10: RSA Self-Service

For software tokens, select Mark action item as completed to close therequest.

81

RSA Authentication Manager 8.1 Help Desk Administrators Guide

7. (Optional) Under Comment to User, enter any comments that you want sent tothe user in an e-mail.8. Click Submit.

Cancel User Requests

Occasionally, it may be necessary to cancel a user request. When this happens,Self-Service generates an e-mail that contains comments from the workflowparticipant who canceled the request and sends it to the user.Procedure

1. In the Security Console, click Administration > Provisioning, and then click thePending tab to see all open user requests. If no requests appear, click Search torefresh the screen.2. Click the checkbox of the request you want to cancel.3. From the Action menu, select Cancel Request.4. Click Go.5. Under Comment to User, enter the reason why you canceled the request.6. Click Cancel Requests.

82

10: RSA Self-Service

RSA Authentication Manager 8.1 Help Desk Administrators Guide

11

Managing Reports

ReportsReports provide access to logged information, and current information about the users,administrators, and system activity in a deployment. This information is useful fortroubleshooting, auditing security issues, and demonstrating compliance with variouspolicies.You create a report using a supplied template. Each template allows you to choose thetypes of information being reported and which parameters to apply in order to refinethat information. You can view activities for all administrators, or you can displaydetailed information on one administrator.In addition, you can perform the following reporting tasks:

View and download completed reports, view reports that are currently running orreports that are waiting in the report queue.You can view the report output in theSecurity Console, or download the report as a CSV, XML, or HTML file.

Transfer reports to other security domains. When running a report, change thereport ownership so that the administrative scope is narrowed or broadened.

Run a Report Job

To generate output from a report that you have created, you must run the report. Afteryou run the report, you can view the report output in a browser, or save the report as aCSV, XML, or HTML file.When you run the report, make sure that you download it to your local machine, andview it using the associated applications.You may only run reports that fall within the scope of your administrative role. If anerror indicates that you have insufficient privileges, review your permissionscarefully. The report fails if it needs to access data that you are not permitted to view.For example, the All Users report requires permission to view all of the securitydomains in the deployment because it accesses the security domains to which thereported users belong.Procedure

1. In the Security Console, click Reporting > Reports > Manage Existing.2. Click the report that you want to run, and click Run Report Job Now.

11: Managing Reports

83

RSA Authentication Manager 8.1 Help Desk Administrators Guide

3. Enter any input parameters required by the report.

4. Click Run Report.5. Click the Completed tab to view the report output.

View a Report Template

You can view a list of all saved report templates. After the list displays, you may editor run the reports in the list.Procedure

1. In the Security Console, click Reporting > Reports > Manage Existing.2. Use the search fields to find the report that you want to view.3. Click the report, and click View.

View An In Progress Report Job

You can only view reports that are included in your administrative scope.Procedure

In the Security Console, click Reporting > Report Output > In Progress.You can cancel the report job from this tab.

View A Completed Report

Perform this procedure to view the output of a completed report saved in the system.Procedure

1. In the Security Console, click Reporting > Report Output > CompletedReports.2. Under the Completed tab, click the report job that you want to view, and selecthow to display it. You can save the report output as a CSV, XML, or HTML file.You can also choose to send the output directly to a web browser for display. Thefigure below shows an example of a output that is viewed in a web browser.Be sure to delete reports when they are no longer needed.

84

11: Managing Reports

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Edit a ReportYou can edit a report to change information that is included in the report or to changethe information that must be entered when a report is run.Only the administrator who created the report can change the Run As option.Procedure

1. In the Security Console, click Reporting > Reports > Manage Existing.2. Select the report that you want to edit, and click Edit.3. Make any necessary changes to the report.4. Click Save.If you have not saved your edits, you can click Reset to reset the report to be as itwas before you began editing.

11: Managing Reports

85

RSA Authentication Manager 8.1 Help Desk Administrators Guide

12

Monitoring User Activity in Real-Time

Real-time Monitoring Using Activity Monitors

You can use Activity Monitors to view RSA Authentication Manager activity, such aslog entries, in real time. There are four Activity Monitors; Authentication Activity,System Activity, and Administration Activity open in a separate browser window anddisplays a different type of information, while Authentication Activity Monitor in theUser Dashboard opens in the User Dashboard.Monitor

Information Displayed

Authentication Activity

Which user is authenticating

Source of the authentication request Server used for authentication

System Activity

Administration Activity

Changes such as when users are added or deleted.

Authentication Activity Monitor

in the User Dashboard

Log entries for authentication activity over the past

seven days for one user, maximum of 50 records Time of activity, result of activity, and descriptionof activity

Time of an activityDescription of activityWhether the activity succeededServer where the activity took place

You can customize the information displayed. For example, you can use theAdministration Activity Monitor to view the activity of a specific administrator, UserID, authentication agent, or security domain.You can open multiple Activity Monitor windows at the same time. For example, youcan simultaneously monitor a specific administrator, an entire user group, and anentire security domain.You can pause the Activity Monitor and review specific log messages. When youresume monitoring, all log messages generated while the Activity Monitor was pausedare added at the top of the Activity Monitor display.If the number of new messages exceeds the number of messages selected for display,only the most recent are displayed. For example, if you configured the monitor todisplay 100 messages, but there are 150 new messages, only the 100 most recent aredisplayed.

12: Monitoring User Activity in Real-Time

87

RSA Authentication Manager 8.1 Help Desk Administrators Guide

View Messages in the Activity Monitor

Use this procedure to view messages in the Activity Monitor to troubleshootproblems.Procedure

1. In the Security Console, click Reporting > Real-time Activity Monitors, andselect an available Activity Monitor.2. Specify the criteria of the log messages that you want the Activity Monitor todisplay. Leave these fields blank to view all activity.3. Click Start Monitor.4. When a message displays that you want to view, click Pause Monitor.5. Click the date and time of the message that you want to view.

View Recent Authentication Activity in the User Dashboard

You can view a users authentication activity through the User Dashboard in real time.You can customize the information displayed. A maximum of 50 records can beshown.Procedure

1. In the Security Console, go to the Home page.

2. Use Quick Search to find the user.3. Select the user whose recent authentication you want to view.

12: Monitoring User Activity in Real-Time

RSA Authentication Manager 8.1 Help Desk Administrators Guide

are listed.This is an example of a users activities for the past seven days. It covers the timeof each activity, a description of each activity, and the result of the activity.

12: Monitoring User Activity in Real-Time

89

RSA Authentication Manager 8.1 Help Desk Administrators Guide

GlossaryActive DirectoryThe directory service that is included with Microsoft Windows Server 2003 SP2,Microsoft Windows Server 2008, and Microsoft Windows Server 2008 R2.Active Directory forestA federation of identity servers for Windows Server environments. All identity serversshare a common schema, configuration, and Global Catalog.administrative roleA collection of permissions and the scope within which those permissions apply.administratorAny user with one or more administrative roles that grant administrative permission tomanage the system.agent hostThe machine on which an agent is installed.applianceThe hardware or guest virtual machine running RSA Authentication Manager. Theappliance can be set up as a primary instance or a replica instance.approverA Request Approver or an administrator with approver permissions.assurance levelFor risk-based authentication, the system categorizes each authentication attempt intoan assurance level that is based on the users profile, device, and authenticationhistory. If the authentication attempt meets the minimum assurance level that isrequired by the RBA policy, the user gains access to the RBA-protected resource.Otherwise, the user must provide identity confirmation to access the RBA-protectedresource.attributeA characteristic that defines the state, appearance, value, or setting of something. InAuthentication Manager, attributes are values associated with users and user groups.For example, each user group has three standard attributes called Name, IdentitySource, and Security Domain.attribute mappingThe process of relating a user or user group attribute, such as User ID or Last Name, toone or more identity sources linked to the system. No attribute mapping is required ina deployment where the internal database is the primary identity source.audit informationData found in the audit log representing a history of system events or activityincluding changes to policy or configuration, authentications, authorizations, and soon.

Glossary

91

RSA Authentication Manager 8.1 Help Desk Administrators Guide

audit logA system-generated file that is a record of system events or activity. The systemincludes four such files, called the Trace, Administrative, Runtime Audit, and Systemlogs.authenticationThe process of reliably determining the identity of a user or process.authentication agentA software application installed on a device, such as a domain server, web server, ordesktop computer, that enables authentication communication with AuthenticationManager on the network server. See agent host.authentication methodThe type of procedure required for obtaining authentication, such as a one-stepprocedure, a multiple-option procedure (user name and password), or a chainedprocedure.authentication protocolThe convention used to transfer the credentials of a user during authentication, forexample, HTTP-BASIC/DIGEST, NTLM, Kerberos, and SPNEGO.authentication serverA component made up of services that handle authentication requests, databaseoperations, and connections to the Security Console.authenticatorA device used to verify a user's identity to Authentication Manager. This can be ahardware token (for example, a key fob) or a software token.authorizationThe process of determining if a user is allowed to perform an operation on a resource.backupA file that contains a copy of your primary instance data. You can use the backup fileto restore the primary instance in a disaster recovery situation. An RSAAuthentication Manager backup file includes: the internal database, appliance-onlydata and configuration, keys and passwords used to access internal services, andinternal database log files. It does not include all the appliance and operating systemlog files.certificateAn asymmetric public key that corresponds with a private key. It is either self-signedor signed with the private key of another certificate.certificate DNThe distinguished name of the certificate issued to the user for authentication.command line utility (CLU)A utility that provides a command line user interface.

92

Glossary

RSA Authentication Manager 8.1 Help Desk Administrators Guide

core attributesThe fixed set of attributes commonly used by all RSA products to create a user. Theseattributes are always part of the primary user record, whether the deployment is in anLDAP or RDBMS environment. You cannot exclude core attributes from a view, butthey are available for delegation.Cryptographic Token-Key Initialization Protocol (CT-KIP)A client-server protocol for the secure initialization and configuration of softwaretokens. The protocol requires neither private-key capabilities in the tokens, nor anestablished public-key infrastructure. Successful execution of the protocol results inthe generation of the same shared secret on both the server as well as the token.custom attributesAn attribute you create in Authentication Manager and map to a field in an LDAPdirectory. For example, you could create a custom attribute for a users department.data storeA data source, such as a relational database (Oracle or DB2) or directory server(Microsoft Active Directory or Oracle Directory Server). Each type of data sourcemanages and accesses data differently.delegated administrationA scheme for defining the scope and responsibilities of a set of administrators. Itpermits administrators to delegate a portion of their responsibilities to anotheradministrator.delivery addressThe e-mail address or the mobile phone number where the on-demand tokencodes willbe delivered.deploymentAn installation of Authentication Manager that consists of a primary instance and,optionally, one or more replica instances.demilitarized zoneThe area of a network configured between two network firewalls.device historyFor risk-based authentication, the system maintains a device history for each user. Itincludes the devices that were used to gain access to protected resources.device registrationFor risk-based authentication, the process of saving an authentication device to theusers device history.distribution file passwordA password used to protect the distribution file when the distribution file is sent bye-mail to the user.distributorA Token Distributor or an administrator with distributor permissions.DMZSee demilitarized zone.

Glossary

93

RSA Authentication Manager 8.1 Help Desk Administrators Guide

dynamic seed provisioning

The automation of all the steps required to provide a token file to a device that hosts asoftware token, such as a web browser, using the Cryptographic Token-KeyInitialization Protocol (CT-KIP).e-mail notificationsContain status information about requests for user enrollment, tokens, and user groupmembership that is sent to users who initiated the request. For token requests, e-mailnotifications also contain information about how to download and activate tokens.Request Approvers and Token Distributors receive e-mail notifications about requeststhat require their action. See e-mail templates.e-mail templatesTemplates that administrators can use to customize e-mail notifications about userrequests for user enrollment, tokens, user group membership, or the on-demandtokencode service. See e-mail notifications.excluded words dictionaryA dictionary containing a record of words that users cannot use as passwords. Itprevents users from using common, easily guessed words as passwords.fixed passcodeSimilar to a password that users can enter to gain access in place of a PIN andtokencode. The format for fixed passcodes is defined in the token policy assigned to asecurity domain. An administrator creates a fixed passcode in a users authenticationsettings page. Fixed passcodes can be alphanumeric and contain special characters,depending on the token policy.Global CatalogA read-only, replicated repository of a subset of the attributes of all entries in anActive Directory forest.Global Catalog identity sourceAn identity source that is associated with an Active Directory Global Catalog. Thisidentity source is used for finding and authenticating users, and resolving groupmembership within the forest.identity attributeCustomer-defined attributes that are mapped to an existing customer-defined schemaelement. They are always stored in the same physical repository as the users or usergroups core attribute data. You can search, query, and report on these attributes. Eachidentity attribute definition must map to an existing attribute in an LDAP directory orRDBMS.identity confirmation methodFor risk-based authentication, an authentication method that can be used to confirm ausers identity.identity sourceA data store containing user and user group data. The data store can be the internaldatabase or an external directory server, such as Microsoft Active Directory.

94

Glossary

RSA Authentication Manager 8.1 Help Desk Administrators Guide

instanceAn installation of RSA Authentication Manager that can be set up as a primaryinstance or a replica instance. An instance also includes a RADIUS server.internal databaseThe Authentication Manager proprietary data source.keystoreThe facility for storing keys and certificates.load balancerA deployment component used to distribute authentication requests across multiplecomputers to achieve optimal resource utilization. The load balancer is usuallydedicated hardware or software that can provide redundancy, increase reliability, andminimize response time. See Round Robin DNS.lower-level security domainIn a security domain hierarchy, a security domain that is nested within another securitydomain.minimum assurance levelSee assurance level.node secretA long-lived symmetric key that the agent uses to encrypt the data in theauthentication request. The node secret is known only to Authentication Manager andthe agent.on-demand tokencodeTokencodes delivered by SMS or SMTP. These tokencodes require the user to enter aPIN to achieve two-factor authentication. On-demand tokencodes are user-initiated, asAuthentication Manager only sends a tokencode to the user when it receives a userrequest. An on-demand tokencode can be used only once. The administratorconfigures the lifetime of an on-demand tokencode. See on-demand tokencodeservice.on-demand tokencode serviceA service that allows enabled users to receive tokencodes by text message or e-mail,instead of by tokens. You configure the on-demand tokencode service and enableusers on the Security Console.Operations ConsoleAn administrative user interface through which the user configures and sets upAuthentication Manager, for example, adding and managing identity sources, addingand managing instances, and disaster recovery.permissionsSpecifies which tasks an administrator is allowed to perform.preferred instanceThe Authentication Manager instance that the risk-based authentication service in theweb tier communicates with first. Also, the instance that provides updates to the webtier. Any instance can be the preferred instance. For example, you can configure areplica instance as the preferred instance.

Glossary

95

RSA Authentication Manager 8.1 Help Desk Administrators Guide

primary instanceThe installed deployment where authentication and all administrative actions areperformed.promotion, for disaster recoveryThe process of configuring a replica instance to become the new primary instance.During promotion, the original primary instance is detached from the deployment. Allconfiguration data referring to the original primary instance is removed from the newprimary instance.promotion, for maintenanceThe process of configuring a replica instance to become the new primary instancewhen all instances are healthy. During promotion, a replica instance is configured as aprimary instance. The original primary instance is demoted and configured as a replicainstance.provisioningSee token provisioning.provisioning dataThe provisioning server-defined data. This is a container of information necessary tocomplete the provisioning of a token device.RADIUSSee Remote Authentication Dial-In User Service.RBASee risk-based authentication.RBA integration scriptA script that redirects the user from the default logon page of a web-based applicationto a customized logon page. This allows Authentication Manager to authenticate theuser with risk-based authentication. To generate an integration script, you must havean integration script template.realmA realm is an organizational unit that includes all of the objects managed within asingle deployment, such as users and user groups, tokens, password policies, andagents. Each deployment has only one realm.Remote Authentication Dial-In User Service (RADIUS)A protocol for administering and securing remote access to a network. A RADIUSserver receives remote user access requests from RADIUS clients, for example, aVPN.replica instanceThe installed deployment where authentication occurs and at which an administratorcan view the administrative data. No administrative actions are performed on thereplica instance.replica packageA file that contains configuration data that enables the replica appliance to connect tothe primary appliance. You must generate a replica package before you set up a replicaappliance.

96

Glossary

RSA Authentication Manager 8.1 Help Desk Administrators Guide

requestsAllows users to enroll, as well as request tokens, the on-demand tokencode service,and user group membership.Request ApproverA predefined administrative role that grants permission to approve requests from usersfor user enrollment, tokens, or user group membership.risk-based authentication (RBA)An authentication method that analyzes the users profile, authentication history, andauthentication device before granting access to a protected resource.risk engineIn Authentication Manager, the risk engine intelligently assesses the authenticationrisk for each user. It accumulates knowledge about each users device and behaviorover time. When the user attempts to authenticate, the risk engine refers to itscollected data to evaluate the risk. The risk engine then assigns an assurance level,such as high, medium, or low, to the users authentication attempt.round robin DNSAn alternate method of load balancing that does not require dedicated software orhardware. When the Domain Name System (DNS) server is configured and enabledfor round robin, the DNS server sends risk-based authentication (RBA) requests to theweb-tier servers. See Load Balancer.scopeIn a deployment, the security domain or domains within which a roles permissionsapply.Secure Sockets Layer (SSL)A protocol that uses cryptography to enable secure communication over the Internet.SSL is widely supported by leading web browsers and web servers.Security ConsoleAn administrative user interface through which the user performs most of theday-to-day administrative activities.security domainA container that defines an area of administrative management responsibility,typically in terms of business units, departments, partners, and so on. Securitydomains establish ownership and namespaces for objects (users, roles, permissions,and so on) within the system. They are hierarchical.security questionsA way of allowing users to authenticate without using their standard method. To usethis service, a user must answer a number of security questions. To authenticate usingthis service, the user must correctly answer all or a subset of the original questions.self-serviceA component of Authentication Manager that allows the user to update user profiles,change passwords for the Self-Service Console, configure life questions, clear devicesenabled for risk-based authentication, change e-mail addresses or phone numbers foron-demand authentication, and manage on-demand authentication PINs. The user canalso request, maintain, and troubleshoot tokens.

Glossary

97

RSA Authentication Manager 8.1 Help Desk Administrators Guide

Self-Service ConsoleA user interface through which the user can update user profiles, change passwordsfor the Self-Service Console, configure life questions, clear devices enabled forrisk-based authentication, change e-mail addresses or phone numbers for on-demandauthentication, and manage on-demand authentication PINs. Users can also request,maintain, and troubleshoot tokens on the Self-Service Console.sessionAn encounter between a user and a software application that contains data pertainingto the users interaction with the application. A session begins when the user logs onto the software application and ends when the user logs off of the software application.shipping addressAn address used by distributors to distribute hardware tokens.silent collectionFor risk-based authentication, a period during which the system silently collects dataabout each users profile, authentication history, and authentication devices withoutrequiring identity confirmation during logon.SSLSee Secure Sockets Layer.Super AdminAn administrator with permissions to perform all administrative tasks in the SecurityConsole. A Super Admin:

Can link identity sources to system

Has full permissions within a deployment

Can assign administrative roles within a deployment

system eventSystem-generated information related to nonfunctional system events, such as serverstartup and shutdown, failover events, and replication events.System logA persistable store for recording system events.time-outThe amount of time (in seconds) that the users desktop can be inactive beforereauthentication is required.token distributorA predefined administrative role that grants permission to act upon requests fromusers for tokens. Distributors record how they plan to deliver tokens to users and closerequests.token provisioningThe automation of all the steps required to provide enrollment, user groupmembership, RSA SecurID tokens, and the on-demand tokencode service to users.See also self-service.

98

Glossary

RSA Authentication Manager 8.1 Help Desk Administrators Guide

top-level security domain

The top-level security domain is the first security domain in the security domainhierarchy. The top-level security domain is unique in that it links to the identity sourceor sources and manages the password, locking, and authentication policy for the entiredeployment.Trace logA persistable store for trace information.trusted realmA trusted realm is a realm that has a trust relationship with another realm. Users on atrusted realm have permission to authenticate to another realm and access theresources on that realm. Two or more realms can have a trust relationship. A trustrelationship can be either one-way or two-way.trust packageAn XML file that contains configuration information about the deployment.UDPSee User Datagram Protocol.User Datagram Protocol (UDP)A protocol that allows programs on networked computers to communicate with oneanother by sending short messages called datagrams.User IDA character string that the system uses to identify a user attempting to authenticate.Typically a User ID is the users first initial followed by the last name. For example,Jane Does User ID might be jdoe.virtual hostPhysical computer on which a virtual machine is installed. A virtual host helpsmanage traffic between web-based applications, web-tier deployments, and theassociated primary instance and replica instances.virtual hostnameThe publicly-accessible hostname. End users use this virtual hostname to authenticatethrough the web tier. The system also generates SSL information based on the virtualhostname. The virtual hostname must be same as the load balancer hostname.web tierA web tier is a platform for installing and deploying the Self-Service Console,Dynamic Seed Provisioning, and the risk-based authentication (RBA) service in theDMZ. The web tier prevents end users from accessing your private network byreceiving and managing inbound internet traffic before it enters your private network.workflowThe movement of information or tasks through a work or business process. Aworkflow can consist of one or two approval steps and a distribution step for differentrequests from users.workflow participantEither approvers or distributors. Approvers review, approve, or defer user requests.Distributors determine the distribution method for token requests and record themethod for each request. See also workflow.